From: Chris Dupont on
Can someone explain why this happens :

When i execute "dcomcnfg" i get a "component services" window,
while i should get "distributed COM configuration properties".
And because i get the wron window, i can't re-create the default trustee
as explained in the log file.


"Chris Dupont" <chris.dupont(a)telenet.be> schreef in bericht
news:6lw0n.9766$yi1.4094(a)newsfe22.ams2...
> So now i'm trying to resolve the issues by following the suggestions in
> the log, but i have a problem with adding the ACE with dcomcnfg.exe as
> suggested (see error " default trustee BUILTIN/ADMINISTRATORS was
> removed". Actually i don't know how to do this, i executed dcomcnfg but
> don't know what to do there and where to do it.
> Anyone who knows how to do this ?
>
> Chris.
>
>
> "Chris Dupont" <chris.dupont(a)telenet.be> schreef in bericht
> news:iGv0n.37112$Ic5.33114(a)newsfe16.ams2...
>> Hello MowGreen,
>>
>> I've discovered that the problem is related to the fact that the Windows
>> WMI-service can't be started.
>> Also can't start 2 other services, cfr. Security center service and
>> Windows firewall service.
>> When trying to start WMI-service, I allways get the following error :
>> "ERROR 126 : can't find module"
>> So i executed the Microsoft WMIdiag.exe tool. In the log created by this
>> tool, i found the following information.
>> Can anyone help me with this ? Because i still don't understand what is
>> exactly the cause of these problems.
>>
>> Info from tha WMidiag log :
>>
>> .1261 00:55:22 (1) !! ERROR: (StartService) : Start service 'WINMGMT'
>> command timeout.
>> .1262 00:55:22 (0) ** Verifying WMI providers loaded BEFORE WMIDiag
>> execution.
>> .1263 00:55:52 (1) !! ERROR: (CheckWMIStaticData) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1264 00:55:52 (0) ** Verifying WMI namespace 'Root' (L=1).
>> .1265 00:56:22 (1) !! ERROR: (CheckWMIStaticData) : 0x1AD - ActiveX
>> component can't create object
>> .1266 00:56:52 (1) !! ERROR: (CheckWMIStaticData) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1267 00:56:52 (0) ** Verifying WMI ADAP status.
>> .1268 00:57:22 (1) !! ERROR: (GetADAPStatus) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1269 00:57:22 (0) ** Verifying WMI features.
>> .1270 00:57:22 (3) Opening WMI namespace 'Root'.
>> .1271 00:57:52 (1) !! ERROR: (CheckWMIFeatures) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1272 00:57:52 (3) Opening WMI namespace 'Root/Default'.
>> .1273 00:58:22 (1) !! ERROR: (CheckWMIFeatures) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1274 00:58:22 (3) Opening WMI namespace 'Root/CIMv2'.
>> .1275 00:58:52 (1) !! ERROR: (CheckWMIFeatures) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1276 00:58:52 (3) Opening WMI namespace 'Root/WMI'.
>> .1277 00:59:22 (1) !! ERROR: (CheckWMIFeatures) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1278 00:59:22 (0) ** Collecting system information.
>> .1279 00:59:52 (1) !! ERROR: (CheckWMIInventory) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1280 00:59:52 (0) ** Verifying WMI providers loaded AFTER WMIDiag
>> execution.
>> .1281 01:00:22 (1) !! ERROR: (CheckWMIStaticData) : 0x80080005 -
>> Serveruitvoering is mislukt
>> .1282 01:00:22 (0) ** Verifying WMI Repository files presence.
>> .1283 01:00:22 (3) 'C:\WINDOWS\SYSTEM32\WBEM\Repository\FS' has a size
>> of 11149484 bytes.
>> .1284 01:00:22 (3) 'INDEX.BTR' has a size of 1728512 bytes (Created:
>> 4/01/2010 1:17:20, Last Accessed: 5/01/2010 0:55:00, Last Modified:
>> 20/03/2009 7:47:48).
>> .1285 01:00:22 (3) 'INDEX.MAP' has a size of 904 bytes (Created:
>> 4/01/2010 1:17:20, Last Accessed: 5/01/2010 0:55:00, Last Modified:
>> 20/03/2009 7:47:48).
>> .1286 01:00:22 (3) 'OBJECTS.DATA' has a size of 9404416 bytes
>> (Created: 4/01/2010 1:17:20, Last Accessed: 5/01/2010 0:55:00, Last
>> Modified: 20/03/2009 7:47:48).
>> .1287 01:00:22 (3) 'OBJECTS.MAP' has a size of 4632 bytes (Created:
>> 4/01/2010 1:17:20, Last Accessed: 5/01/2010 0:55:00, Last Modified:
>> 20/03/2009 7:47:49).
>> .1288 01:00:22 (0) ** WMIDiag v2.0 completed.
>> .1289 01:00:22 (0) **
>> .1290 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1291 01:00:22 (0)
>> ** ----------------------------------------------------- WMI REPORT:
>> BEGIN ----------------------------------------------------------
>> .1292 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1293 01:00:22 (0) **
>> .1294 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1295 01:00:22 (0) ** Windows XP - No service pack - 32-bit (2600) - User
>> 'PC-CHRIS\CHRIS DUPONT' on computer 'PC-CHRIS'.
>> .1296 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1297 01:00:22 (0) ** Environment:
>> ........................................................................................................
>> OK..
>> .1298 01:00:22 (0) ** There are no missing WMI system files:
>> ..............................................................................
>> OK.
>> .1299 01:00:22 (0) ** There are no missing WMI repository files:
>> ..........................................................................
>> OK.
>> .1300 01:00:22 (0) ** WMI repository state:
>> ...............................................................................................
>> N/A.
>> .1301 01:00:22 (0) ** BEFORE running WMIDiag:
>> .1302 01:00:22 (0) ** The WMI repository has a size of:
>> ...................................................................................
>> 11 MB.
>> .1303 01:00:22 (0) ** - Disk free space on 'C:':
>> ..........................................................................................
>> 6240 MB.
>> .1304 01:00:22 (0) ** - INDEX.BTR, 1728512 bytes,
>> 20/03/2009 7:47:48
>> .1305 01:00:22 (0) ** - INDEX.MAP, 904 bytes,
>> 20/03/2009 7:47:48
>> .1306 01:00:22 (0) ** - OBJECTS.DATA, 9404416 bytes,
>> 20/03/2009 7:47:48
>> .1307 01:00:22 (0) ** - OBJECTS.MAP, 4632 bytes,
>> 20/03/2009 7:47:49
>> .1308 01:00:22 (0) ** AFTER running WMIDiag:
>> .1309 01:00:22 (0) ** The WMI repository has a size of:
>> ...................................................................................
>> 11 MB.
>> .1310 01:00:22 (0) ** - Disk free space on 'C:':
>> ..........................................................................................
>> 6238 MB.
>> .1311 01:00:22 (0) ** - INDEX.BTR, 1728512 bytes,
>> 20/03/2009 7:47:48
>> .1312 01:00:22 (0) ** - INDEX.MAP, 904 bytes,
>> 20/03/2009 7:47:48
>> .1313 01:00:22 (0) ** - OBJECTS.DATA, 9404416 bytes,
>> 20/03/2009 7:47:48
>> .1314 01:00:22 (0) ** - OBJECTS.MAP, 4632 bytes,
>> 20/03/2009 7:47:49
>> .1315 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1316 01:00:22 (0) ** Windows Firewall:
>> ...................................................................................................
>> NOT INSTALLED.
>> .1317 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1318 01:00:22 (0) ** DCOM Status:
>> ........................................................................................................
>> OK.
>> .1319 01:00:22 (0) ** WMI registry setup:
>> .................................................................................................
>> OK.
>> .1320 01:00:22 (0) ** WMI Service has no dependents:
>> ......................................................................................
>> OK.
>> .1321 01:00:22 (0) ** RPCSS service:
>> ......................................................................................................
>> OK (Already started).
>> .1322 01:00:22 (0) ** WINMGMT service:
>> ....................................................................................................
>> Failed to start.
>> .1323 01:00:22 (0) ** => The WINMGMT service can't be started. This could
>> be due to the following reasons:
>> .1324 01:00:22 (0) ** - The service is DISABLED. You can re-enable the
>> service with the command:
>> .1325 01:00:22 (0) ** i.e. 'SC.EXE CONFIG WINMGMT START= AUTO'
>> .1326 01:00:22 (0) ** Note: The SC.EXE command is available in the
>> Windows Resource Kit.
>> .1327 01:00:22 (0) ** - The WINMGMT service depends on RPCSS service
>> which is DISABLED or unable to start.
>> .1328 01:00:22 (0) ** - If the service is ENABLED but can't start,
>> then the service registry may contains bad data.
>> .1329 01:00:22 (0) ** Note: Registry setup errors should be reported.
>> Follow the steps related to registry issues.
>> .1330 01:00:22 (0) ** => After verifying the registry, if the WMI service
>> does not start yet, you can try to
>> .1331 01:00:22 (0) ** to run the service as a STANDALONE service host
>> or as a SHARED service host (SvcHost)
>> .1332 01:00:22 (0) ** You can achieve this by running ONE of the
>> following commands (case sensitive):
>> .1333 01:00:22 (0) ** - to configure the service to run as a SHARED
>> service host (recommended):
>> .1334 01:00:22 (0) ** i.e. 'RUNDLL32.EXE
>> C:\WINDOWS\SYSTEM32\WBEM\WMISVC.DLL,MoveToShared'
>> .1335 01:00:22 (0) ** - if you have issue to get it running as a
>> SHARED service host, the WMI service
>> .1336 01:00:22 (0) ** can be configured to run as a STANDALONE
>> service host:
>> .1337 01:00:22 (0) ** i.e. 'RUNDLL32.EXE
>> C:\WINDOWS\SYSTEM32\WBEM\WMISVC.DLL,MoveToAlone'
>> .1338 01:00:22 (0) ** => If the registry is correct and the WMI service
>> does not start yet, the WMI repository could be inconsistent.
>> .1339 01:00:22 (0) ** - Validating the repository consistency. In such
>> a case, you must rerun WMIDiag with 'WriteInRepository' parameter
>> .1340 01:00:22 (0) ** to validate the WMI repository operations.
>> .1341 01:00:22 (0) ** Note: ENSURE you are an administrator with FULL
>> access to WMI EVERY namespaces of the computer before
>> .1342 01:00:22 (0) ** executing the WriteInRepository command.
>> To write temporary data from the Root namespace, use:
>> .1343 01:00:22 (0) ** i.e. 'WMIDiag WriteInRepository=Root'
>> .1344 01:00:22 (0) ** - If the WriteInRepository command fails, while
>> being an Administrator with ALL accesses to ALL namespaces
>> .1345 01:00:22 (0) ** the WMI repository must be
>> reconstructed/recovered.
>> .1346 01:00:22 (0) ** - The repository can be recovered from a
>> previous backup.
>> .1347 01:00:22 (0) ** Note: The System State backup or the System
>> Restore snapshot contain a backup of
>> .1348 01:00:22 (0) ** of the WMI repository.
>> .1349 01:00:22 (0) ** => If no backup is available, you must rebuild the
>> repository.
>> .1350 01:00:22 (0) ** - Re-run WMIDiag with the ShowMOFErrors, this
>> will show any MOF file issues.
>> .1351 01:00:22 (0) ** i.e. 'WMIDiag ShowMOFErrors'
>> .1352 01:00:22 (0) ** Note: The WMI repository reconstruction requires
>> to locate all MOF files needed to rebuild the repository,
>> .1353 01:00:22 (0) ** otherwise some applications may fail after
>> the reconstruction.
>> .1354 01:00:22 (0) ** This can be achieved with the following
>> command:
>> .1355 01:00:22 (0) ** i.e. 'WMIDiag ShowMOFErrors'
>> .1356 01:00:22 (0) ** Note: Any missing MOF files, or existing MOF
>> files not listed in the Auto-recovery
>> .1357 01:00:22 (0) ** registry key will be excluded from the WMI
>> repository reconstruction.
>> .1358 01:00:22 (0) ** This may imply the lost of WMI
>> registration information.
>> .1359 01:00:22 (0) ** Note: The repository reconstruction must be a
>> LAST RESORT solution and ONLY after executing
>> .1360 01:00:22 (0) ** ALL fixes previously mentioned.
>> .1361 01:00:22 (2) !! WARNING: Static information stored by external
>> applications in the repository will be LOST! (i.e. SMS Inventory)
>> .1362 01:00:22 (0) ** - To rebuild the WMI repository, you must:
>> .1363 01:00:22 (0) ** - Stop the WMI Service.
>> .1364 01:00:22 (0) ** i.e. 'NET.EXE STOP WINMGMT'
>> .1365 01:00:22 (0) ** - Move the existing WMI repository files to
>> another location.
>> .1366 01:00:22 (0) ** i.e. MOVE
>> C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\*.* %TEMP%
>> .1367 01:00:22 (0) ** - Start the WMI Service.
>> .1368 01:00:22 (0) ** i.e. 'NET.EXE START WINMGMT'
>> .1369 01:00:22 (0) ** WMI will rebuild the WMI repository based the
>> auto-recovery mechanism.
>> .1370 01:00:22 (0) **
>> .1371 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1372 01:00:22 (0) ** WMI service DCOM setup:
>> .............................................................................................
>> OK.
>> .1373 01:00:22 (0) ** WMI components DCOM registrations:
>> ..................................................................................
>> OK.
>> .1374 01:00:22 (0) ** WMI ProgID registrations:
>> ...........................................................................................
>> OK.
>> .1375 01:00:22 (0) ** WMI provider DCOM registrations:
>> ....................................................................................
>> OK.
>> .1376 01:00:22 (0) ** WMI provider CIM registrations:
>> .....................................................................................
>> OK.
>> .1377 01:00:22 (0) ** WMI provider CLSIDs:
>> ................................................................................................
>> OK.
>> .1378 01:00:22 (0) ** WMI providers EXE/DLL availability:
>> .................................................................................
>> OK.
>> .1379 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1380 01:00:22 (0) ** DCOM security for 'My Computer' (Launch &
>> Activation Permissions/Edit Default):
>> ..................................... MODIFIED.
>> .1381 01:00:22 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has
>> been REMOVED!
>> .1382 01:00:22 (0) ** - REMOVED ACE:
>> .1383 01:00:22 (0) ** ACEType: &h0
>> .1384 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1385 01:00:22 (0) ** ACEFlags: &h0
>> .1386 01:00:22 (0) ** ACEMask: &h1
>> .1387 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1388 01:00:22 (0) **
>> .1389 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1390 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1391 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1392 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1393 01:00:22 (0) **
>> .1394 01:00:22 (0) ** DCOM security for 'My Computer' (Launch &
>> Activation Permissions/Edit Default):
>> ..................................... MODIFIED.
>> .1395 01:00:22 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE'
>> has been REMOVED!
>> .1396 01:00:22 (0) ** - REMOVED ACE:
>> .1397 01:00:22 (0) ** ACEType: &h0
>> .1398 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1399 01:00:22 (0) ** ACEFlags: &h0
>> .1400 01:00:22 (0) ** ACEMask: &h1
>> .1401 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1402 01:00:22 (0) **
>> .1403 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1404 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1405 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1406 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1407 01:00:22 (0) **
>> .1408 01:00:22 (0) ** DCOM security for 'Windows Management
>> Instrumentation' (Launch & Activation Permissions):
>> ........................... MODIFIED.
>> .1409 01:00:22 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
>> .1410 01:00:22 (0) ** - REMOVED ACE:
>> .1411 01:00:22 (0) ** ACEType: &h0
>> .1412 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1413 01:00:22 (0) ** ACEFlags: &h0
>> .1414 01:00:22 (0) ** ACEMask: &h1
>> .1415 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1416 01:00:22 (0) **
>> .1417 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1418 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1419 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1420 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1421 01:00:22 (0) **
>> .1422 01:00:22 (0) ** DCOM security for 'Microsoft WMI Provider Subsystem
>> Host' (Launch & Activation Permissions): ........................
>> MODIFIED.
>> .1423 01:00:22 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has
>> been REMOVED!
>> .1424 01:00:22 (0) ** - REMOVED ACE:
>> .1425 01:00:22 (0) ** ACEType: &h0
>> .1426 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1427 01:00:22 (0) ** ACEFlags: &h0
>> .1428 01:00:22 (0) ** ACEMask: &h1
>> .1429 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1430 01:00:22 (0) **
>> .1431 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1432 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1433 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1434 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1435 01:00:22 (0) **
>> .1436 01:00:22 (0) ** DCOM security for 'Microsoft WMI Provider Subsystem
>> Host' (Launch & Activation Permissions): ........................
>> MODIFIED.
>> .1437 01:00:22 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE'
>> has been REMOVED!
>> .1438 01:00:22 (0) ** - REMOVED ACE:
>> .1439 01:00:22 (0) ** ACEType: &h0
>> .1440 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1441 01:00:22 (0) ** ACEFlags: &h0
>> .1442 01:00:22 (0) ** ACEMask: &h1
>> .1443 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1444 01:00:22 (0) **
>> .1445 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1446 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1447 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1448 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1449 01:00:22 (0) **
>> .1450 01:00:22 (0) ** DCOM security for 'Microsoft WMI Provider Subsystem
>> Host' (Launch & Activation Permissions): ........................
>> MODIFIED.
>> .1451 01:00:22 (1) !! ERROR: Default trustee 'NT AUTHORITY\NETWORK
>> SERVICE' has been REMOVED!
>> .1452 01:00:22 (0) ** - REMOVED ACE:
>> .1453 01:00:22 (0) ** ACEType: &h0
>> .1454 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1455 01:00:22 (0) ** ACEFlags: &h0
>> .1456 01:00:22 (0) ** ACEMask: &h1
>> .1457 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1458 01:00:22 (0) **
>> .1459 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1460 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1461 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1462 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1463 01:00:22 (0) **
>> .1464 01:00:22 (0) ** DCOM security for 'Microsoft WMI Provider Subsystem
>> Host' (Launch & Activation Permissions): ........................
>> MODIFIED.
>> .1465 01:00:22 (1) !! ERROR: Default trustee 'NT AUTHORITY\LOCAL SERVICE'
>> has been REMOVED!
>> .1466 01:00:22 (0) ** - REMOVED ACE:
>> .1467 01:00:22 (0) ** ACEType: &h0
>> .1468 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1469 01:00:22 (0) ** ACEFlags: &h0
>> .1470 01:00:22 (0) ** ACEMask: &h1
>> .1471 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1472 01:00:22 (0) **
>> .1473 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1474 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1475 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1476 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1477 01:00:22 (0) **
>> .1478 01:00:22 (0) ** DCOM security for 'Microsoft WBEM UnSecured
>> Apartment' (Launch & Activation Permissions): ...........................
>> MODIFIED.
>> .1479 01:00:22 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has
>> been REMOVED!
>> .1480 01:00:22 (0) ** - REMOVED ACE:
>> .1481 01:00:22 (0) ** ACEType: &h0
>> .1482 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1483 01:00:22 (0) ** ACEFlags: &h0
>> .1484 01:00:22 (0) ** ACEMask: &h1
>> .1485 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1486 01:00:22 (0) **
>> .1487 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1488 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1489 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1490 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1491 01:00:22 (0) **
>> .1492 01:00:22 (0) ** DCOM security for 'Microsoft WBEM UnSecured
>> Apartment' (Launch & Activation Permissions): ...........................
>> MODIFIED.
>> .1493 01:00:22 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE'
>> has been REMOVED!
>> .1494 01:00:22 (0) ** - REMOVED ACE:
>> .1495 01:00:22 (0) ** ACEType: &h0
>> .1496 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1497 01:00:22 (0) ** ACEFlags: &h0
>> .1498 01:00:22 (0) ** ACEMask: &h1
>> .1499 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1500 01:00:22 (0) **
>> .1501 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1502 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1503 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1504 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1505 01:00:22 (0) **
>> .1506 01:00:22 (0) ** DCOM security for 'Microsoft WBEM UnSecured
>> Apartment' (Launch & Activation Permissions): ...........................
>> MODIFIED.
>> .1507 01:00:22 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has
>> been REMOVED!
>> .1508 01:00:22 (0) ** - REMOVED ACE:
>> .1509 01:00:22 (0) ** ACEType: &h0
>> .1510 01:00:22 (0) ** ACCESS_ALLOWED_ACE_TYPE
>> .1511 01:00:22 (0) ** ACEFlags: &h0
>> .1512 01:00:22 (0) ** ACEMask: &h1
>> .1513 01:00:22 (0) ** DCOM_RIGHT_EXECUTE
>> .1514 01:00:22 (0) **
>> .1515 01:00:22 (0) ** => The REMOVED ACE was part of the DEFAULT setup
>> for the trustee.
>> .1516 01:00:22 (0) ** Removing default security will cause some
>> operations to fail!
>> .1517 01:00:22 (0) ** It is possible to fix this issue by editing the
>> security descriptor and adding the ACE.
>> .1518 01:00:22 (0) ** For DCOM objects, this can be done with
>> 'DCOMCNFG.EXE'.
>> .1519 01:00:22 (0) **
>> .1520 01:00:22 (0) **
>> .1521 01:00:22 (0) ** DCOM security warning(s) detected:
>> ..................................................................................
>> 0.
>> .1522 01:00:22 (0) ** DCOM security error(s) detected:
>> ....................................................................................
>> 10.
>> .1523 01:00:22 (0) ** WMI security warning(s) detected:
>> ...................................................................................
>> 0.
>> .1524 01:00:22 (0) ** WMI security error(s) detected:
>> .....................................................................................
>> 0.
>> .1525 01:00:22 (0) **
>> .1526 01:00:22 (1) !! ERROR: Overall DCOM security status:
>> ................................................................................
>> ERROR!
>> .1527 01:00:22 (0) ** Overall WMI security status:
>> ........................................................................................
>> OK.
>> .1528 01:00:22 (0) ** - Started at
>> 'Root' --------------------------------------------------------------------------------------------------------------
>> .1529 01:00:22 (0) ** WMI permanent SUBSCRIPTION(S):
>> ......................................................................................
>> NONE.
>> .1530 01:00:22 (0) ** WMI TIMER instruction(s):
>> ...........................................................................................
>> NONE.
>> .1531 01:00:22 (1) !! ERROR: WMI ADAP status:
>> .............................................................................................
>> NOT AVAILABLE.
>> .1532 01:00:22 (0) ** You can start the WMI AutoDiscovery/AutoPurge
>> (ADAP) process to resynchronize
>> .1533 01:00:22 (0) ** the performance counters with the WMI
>> performance classes with the following commands:
>> .1534 01:00:22 (0) ** i.e. 'WINMGMT.EXE /CLEARADAP'
>> .1535 01:00:22 (0) ** i.e. 'WINMGMT.EXE /RESYNCPERF'
>> .1536 01:00:22 (0) ** The ADAP process logs informative events in the
>> Windows NT event log.
>> .1537 01:00:22 (0) ** More information can be found on MSDN at:
>> .1538 01:00:22 (0) **
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_adap_event_log_events.asp
>> .1539 01:00:22 (1) !! ERROR: WMI MONIKER CONNECTION errors occured for
>> the following namespaces: .......................................... 1
>> ERROR(S)!
>> .1540 01:00:22 (0) ** - Root, 0x1AD - ActiveX component can't create
>> object.
>> .1541 01:00:22 (0) **
>> .1542 01:00:22 (1) !! ERROR: WMI CONNECTION errors occured for the
>> following namespaces: ..................................................
>> 5 ERROR(S)!
>> .1543 01:00:22 (0) ** - Root, 0x80080005 - Serveruitvoering is mislukt.
>> .1544 01:00:22 (0) ** - Root, 0x80080005 - Serveruitvoering is mislukt.
>> .1545 01:00:22 (0) ** - Root/Default, 0x80080005 - Serveruitvoering is
>> mislukt.
>> .1546 01:00:22 (0) ** - Root/CIMv2, 0x80080005 - Serveruitvoering is
>> mislukt.
>> .1547 01:00:22 (0) ** - Root/WMI, 0x80080005 - Serveruitvoering is
>> mislukt.
>> .1548 01:00:22 (0) **
>> .1549 01:00:22 (0) ** WMI GET operations:
>> .................................................................................................
>> OK.
>> .1550 01:00:22 (0) ** WMI MOF representations:
>> ............................................................................................
>> OK.
>> .1551 01:00:22 (0) ** WMI QUALIFIER access operations:
>> ....................................................................................
>> OK.
>> .1552 01:00:22 (0) ** WMI ENUMERATION operations:
>> .........................................................................................
>> OK.
>> .1553 01:00:22 (0) ** WMI EXECQUERY operations:
>> ...........................................................................................
>> OK.
>> .1554 01:00:22 (0) ** WMI GET VALUE operations:
>> ...........................................................................................
>> OK.
>> .1555 01:00:22 (0) ** WMI WRITE operations:
>> ...............................................................................................
>> NOT TESTED.
>> .1556 01:00:22 (0) ** WMI PUT operations:
>> .................................................................................................
>> NOT TESTED.
>> .1557 01:00:22 (0) ** WMI DELETE operations:
>> ..............................................................................................
>> NOT TESTED.
>> .1558 01:00:22 (0) ** WMI static instances retrieved:
>> .....................................................................................
>> 0.
>> .1559 01:00:22 (0) ** WMI dynamic instances retrieved:
>> ....................................................................................
>> 0.
>> .1560 01:00:22 (0) ** WMI instance request cancellations (to limit
>> performance impact): ...................................................
>> 0.
>> .1561 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1562 01:00:22 (0) **
>> .1563 01:00:22 (0) ** 1 error(s) 0x1AD - (WBEM_UNKNOWN) This error code
>> is external to WMI.
>> .1564 01:00:22 (0) **
>> .1565 01:00:22 (0) ** 5 error(s) 0x80080005 - (WBEM_UNKNOWN) This error
>> code is external to WMI.
>> .1566 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1567 01:00:22 (0) ** WMI Registry key setup:
>> .............................................................................................
>> OK.
>> .1568 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1569 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1570 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1571 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1572 01:00:22 (0) **
>> .1573 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1574 01:00:22 (0)
>> ** ------------------------------------------------------ WMI REPORT:
>> END -----------------------------------------------------------
>> .1575 01:00:22 (0)
>> ** ----------------------------------------------------------------------------------------------------------------------------------
>> .1576 01:00:22 (0) **
>> .1577 01:00:22 (0) ** ERROR: WMIDiag detected issues that could prevent
>> WMI to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\CHRIS
>> DUPONT\LOCAL
>> SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_PC-CHRIS_2010.01.05_00.54.46.LOG'
>> for details.
>> .1578 01:00:22 (0) **
>> .1579 01:00:22 (0) ** WMIDiag executed in 6 minutes.
>> .1580 01:00:22 (3)
>> .1581 01:00:22 (3) 2.0,1/5/2010,0:54:59,1/4/2010
>> 1:23:12,False,False,False,32-bit,x86 Family 15 Model 47 Stepping 2
>> AuthenticAMD,5.1,2600,Service Pack 3,Windows XP - No service pack -
>> 32-bit,XP___.CLI.RTM.32,,PC-CHRIS,PC-CHRIS\CHRIS DUPONT,False,Root,0,
>> ,0,0,0,0, ,11,6240,11,6238, , , ,0,0,0,0,0,0,0,0,0,0,0, ,
>> ,10,0,0,0,0,0,N/A,0,1,5,0,0,0,0,0,0,0,0,0, , , ,0,0,0, , , , , ,
>> ,0,73,0,24,1/5/2010,1:00:22,0,0,0,336,104,25,1,WMIDIAG-V2.0_XP___.CLI.RTM.32_PC-CHRIS_2010.01.05_00.54.46.LOG,C:\DOCUMENTS
>> AND SETTINGS\CHRIS DUPONT\LOCAL
>> SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_PC-CHRIS_2010.01.05_00.54.46.LOG
>> .1582 01:00:22 (3)
>> .1583 01:00:22 (0) ** WMIDiag v2.0 ended on dinsdag 5 januari 2010 at
>> 01:00 (W:104 E:25 S:1).
>> .1890 01:00:22 (0) ** TXT file "C:\DOCUMENTS AND SETTINGS\CHRIS
>> DUPONT\LOCAL
>> SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_PC-CHRIS_2010.01.05_00.54.46-REPORT.TXT"
>> closed.
>> .1891 01:00:22 (0) ** CSV file "C:\DOCUMENTS AND SETTINGS\CHRIS
>> DUPONT\LOCAL
>> SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_PC-CHRIS_2010.01.05_00.54.46-STATISTICS.CSV"
>> closed.
>> .1892 01:00:22 (0) ** LOG file "C:\DOCUMENTS AND SETTINGS\CHRIS
>> DUPONT\LOCAL
>> SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_PC-CHRIS_2010.01.05_00.54.46.LOG"
>> closed.
>>
>>
>>
>> Any help would be greatly appreciated,
>>
>> Chris.
>>
>>
>>
>> "MowGreen" <mowgreen(a)nowandzen.com> schreef in bericht
>> news:%23KfwzIXjKHA.5020(a)TK2MSFTNGP02.phx.gbl...
>>> 0x8024000b means that the operation was cancelled.
>>> The green bar scrolling endlessly is occurring because of
>>> error 0x80080005
>>>
>>> 2010-01-03 21:09:34:390 1424 808 Agent WARNING: Failed to evaluate
>>> Installed rule, updateId = {02FF0A91-FC2F-4218-AAF5-D28FDD327581}.105,
>>> hr = 80080005
>>>
>>> Either there's corruption in the CatRoot2 subfolder or the winsock stack
>>> is damaged.
>>>
>>> First, suggest you do a clean boot of XP and see if it can search for
>>> updates while in the clean boot state:
>>>
>>> How to configure Windows XP to start in a "clean boot" state
>>> http://support.microsoft.com/kb/310353
>>>
>>> If the system can search for updates, then the issue is being caused by
>>> 'something' that Kaspersky has done or is doing.
>>>
>>> If the system can not search for updates, while still in the clean boot
>>> state, open a Command Prompt ( Start > Run > type in cmd > click OK )
>>> At the prompt, type in the following commands, pressing Enter after
>>> *each* one
>>>
>>> netsh winsock reset
>>> exit
>>>
>>> After the first command is entered you'll get a message stating the
>>> system must be restarted. Enter the second command, which will close the
>>> Command Prompt window, and then restart the system.
>>> Check once more to see if it can search for updates.
>>>
>>> If it still can not, please run the following from Start > Run
>>> type in sigverif.exe > click OK
>>> Click Advanced
>>> Click 'Notify me if any system files are not signed'
>>> On the Logging tab, make sure the 'Save the file signature
>>> verification results to a log file' check box is selected
>>> Name the log SigVerif.txt and click OK
>>> Click Start
>>>
>>> When the tool is done running, copy and paste it into your reply please,
>>> Chris.
>>>
>>> Also, please copy and paste the last 50 or so lines of the
>>> WindowsUpdate.log along with the SigVerif.txt.
>>> What we're looking for is the Version of the Windows Update Agent, which
>>> will look like this in the WU.log:
>>>
>>> 2010-01-04 07:40:50:162 980 910 Misc =========== Logging initialized
>>> (build: 7.4.7600.226
>>>
>>> How to read the Windowsupdate.log file
>>> http://support.microsoft.com/kb/902093
>>>
>>>
>>>
>>> MowGreen
>>> ===============
>>> *-343-* FDNY
>>> Never Forgotten
>>> ===============
>>>
>>> banthecheck.com
>>> "Security updates should *never* have *non-security content* prechecked"
>>>
>>>
>>>
>>> Chris Dupont wrote:
>>>
>>>> Hello,
>>>>
>>>> When trying to update via the windows update site, the green bar bar
>>>> just keeps on scrolling endlessly....
>>>>
>>>> I found the following info in my windowsupdate.log (does anyone has
>>>> any idea what might be the problem here?) :
>>>>
>>>>
>>>> 2010-01-03 21:09:34:390 1424 808 Agent WARNING: Failed to evaluate
>>>> Installed rule, updateId = {02FF0A91-FC2F-4218-AAF5-D28FDD327581}.105,
>>>> hr = 80080005
>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING:
>>>> CAgentUpdateManager::DetectForUpdates failed: 0x8024000b
>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING: Sync of Updates:
>>>> 0x8024000b
>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING: SyncServerUpdatesInternal
>>>> failed: 0x8024000b
>>>> 2010-01-03 21:09:34:390 1424 808 Agent * WARNING: Failed to
>>>> synchronize, error = 0x8024000B
>>>> 2010-01-03 21:09:34:562 1424 808 Agent * WARNING: Exit code =
>>>> 0x8024000B
>>>> 2010-01-03 21:09:34:562 1424 808 Agent *********
>>>> 2010-01-03 21:09:34:562 1424 808 Agent ** END ** Agent: Finding
>>>> updates [CallerId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:562 1424 808 Agent *************
>>>> 2010-01-03 21:09:34:562 1424 808 Agent WARNING: WU client failed
>>>> Searching for update with error 0x8024000b
>>>> 2010-01-03 21:09:34:578 3544 380 COMAPI >>-- RESUMED -- COMAPI:
>>>> Search [ClientId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:578 3544 380 COMAPI - Updates found = 0
>>>> 2010-01-03 21:09:34:578 3544 380 COMAPI - WARNING: Exit code =
>>>> 0x00000000, Result code = 0x8024000B
>>>> 2010-01-03 21:09:34:578 3544 380 COMAPI ---------
>>>> 2010-01-03 21:09:34:578 3544 380 COMAPI -- END -- COMAPI: Search
>>>> [ClientId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:578 3544 380 COMAPI -------------
>>>> 2010-01-03 21:09:34:578 3544 c7c COMAPI -------------
>>>> 2010-01-03 21:09:34:578 3544 c7c COMAPI -- START -- COMAPI: Search
>>>> [ClientId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:578 3544 c7c COMAPI ---------
>>>> 2010-01-03 21:09:34:593 1424 808 Agent *************
>>>> 2010-01-03 21:09:34:593 1424 808 Agent ** START ** Agent: Finding
>>>> updates [CallerId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:593 1424 808 Agent *********
>>>> 2010-01-03 21:09:34:593 1424 808 Agent * Online = No; Ignore download
>>>> priority = No
>>>> 2010-01-03 21:09:34:593 1424 808 Agent * Criteria = "IsInstalled = 0
>>>> and IsHidden = 1"
>>>> 2010-01-03 21:09:34:593 1424 808 Agent * ServiceID =
>>>> {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
>>>> 2010-01-03 21:09:34:593 1424 808 Agent * Search Scope = {Machine}
>>>> 2010-01-03 21:09:34:593 3544 c7c COMAPI <<-- SUBMITTED -- COMAPI:
>>>> Search [ClientId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:906 1424 808 Agent * WARNING: Exit code =
>>>> 0x8024000B
>>>> 2010-01-03 21:09:34:906 1424 808 Agent *********
>>>> 2010-01-03 21:09:34:906 1424 808 Agent ** END ** Agent: Finding
>>>> updates [CallerId = MicrosoftUpdate]
>>>> 2010-01-03 21:09:34:906 1424 808 Agent *************
>>>> 2010-01-03 21:09:34:906 1424 808 Agent WARNING: WU client failed
>>>> Searching for update with error 0x8024000b
>>>> 2010-01-03 21:09:34:906 1424 b30 Agent WARNING: WU client fails to call
>>>> back to search call {7A29DE6E-891E-4DFA-BFC3-7E7F33900655} with error
>>>> 0x8024000c
>>>>
>>
>
>


From: Chris Dupont on
It is true that in the past, i ran "hijackthis" software to show security
breaches.
In the past, i also had Norton Anti-Virus which i replaced with KAV
since about 2 years. The subscription expired briefly a year ago
for about 2 days.
Any way to solve this ?



"PA Bear [MS MVP]" <PABearMVP(a)gmail.com> schreef in bericht
news:eW4LcfajKHA.4912(a)TK2MSFTNGP02.phx.gbl...
> This "smells" like the result of a hijackware infection. How long has KAV
> been installed? Has your subscription ever expired, however briefly?
>
> Has a Norton or McAfee application ever been installed on this machine
> (e.g., a free-trial version that came preinstalled when you bought it)?
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Client - since 2002
>
>
> Chris Dupont wrote:
>> I've discovered that the problem is related to the fact that the Windows
>> WMI-service can't be started.
>> Also can't start 2 other services, cfr. Security center service and
>> Windows
>> firewall service.
>> When trying to start WMI-service, I allways get the following error :
>> "ERROR
>> 126 : can't find module"
>> So i executed the Microsoft WMIdiag.exe tool. In the log created by this
>> tool, i found the following information.
>> Can anyone help me with this ? Because i still don't understand what is
>> exactly the cause of these problems.
>>
>> Info from tha WMidiag log :
> <snip>
>> BroMow wrote:
>>> 0x8024000b means that the operation was cancelled.
>>> The green bar scrolling endlessly is occurring because of
>>> error 0x80080005
>>>
>>> 2010-01-03 21:09:34:390 1424 808 Agent WARNING: Failed to evaluate
>>> Installed rule, updateId = {02FF0A91-FC2F-4218-AAF5-D28FDD327581}.105,
>>> hr
>>> = 80080005
>>>
>>> Either there's corruption in the CatRoot2 subfolder or the winsock stack
>>> is damaged.
>>>
>>> First, suggest you do a clean boot of XP and see if it can search for
>>> updates while in the clean boot state:
>>>
>>> How to configure Windows XP to start in a "clean boot" state
>>> http://support.microsoft.com/kb/310353
>>>
>>> If the system can search for updates, then the issue is being caused by
>>> 'something' that Kaspersky has done or is doing.
>>>
>>> If the system can not search for updates, while still in the clean boot
>>> state, open a Command Prompt ( Start > Run > type in cmd > click OK )
>>> At the prompt, type in the following commands, pressing Enter after
>>> *each*
>>> one
>>>
>>> netsh winsock reset
>>> exit
>>>
>>> After the first command is entered you'll get a message stating the
>>> system
>>> must be restarted. Enter the second command, which will close the
>>> Command
>>> Prompt window, and then restart the system.
>>> Check once more to see if it can search for updates.
>>>
>>> If it still can not, please run the following from Start > Run
>>> type in sigverif.exe > click OK
>>> Click Advanced
>>> Click 'Notify me if any system files are not signed'
>>> On the Logging tab, make sure the 'Save the file signature
>>> verification results to a log file' check box is selected
>>> Name the log SigVerif.txt and click OK
>>> Click Start
>>>
>>> When the tool is done running, copy and paste it into your reply please,
>>> Chris.
>>>
>>> Also, please copy and paste the last 50 or so lines of the
>>> WindowsUpdate.log along with the SigVerif.txt.
>>> What we're looking for is the Version of the Windows Update Agent, which
>>> will look like this in the WU.log:
>>>
>>> 2010-01-04 07:40:50:162 980 910 Misc =========== Logging initialized
>>> (build: 7.4.7600.226
>>>
>>> How to read the Windowsupdate.log file
>>> http://support.microsoft.com/kb/902093
>>> Chris Dupont wrote:
>>>> When trying to update via the windows update site, the green bar bar
>>>> just keeps on scrolling endlessly....
>>>>
>>>> I found the following info in my windowsupdate.log (does anyone has
>>>> any
>>>> idea what might be the problem here?) :
>>>>
>>>>
>>>> 2010-01-03 21:09:34:390 1424 808 Agent WARNING: Failed to evaluate
>>>> Installed rule, updateId = {02FF0A91-FC2F-4218-AAF5-D28FDD327581}.105,
>>>> hr
>>>> = 80080005
>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING:
>>>> CAgentUpdateManager::DetectForUpdates failed: 0x8024000b
>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING: Sync of Updates:
>>>> 0x8024000b
>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING: SyncServerUpdatesInternal
>>>> failed: 0x8024000b
>>>> 2010-01-03 21:09:34:390 1424 808 Agent * WARNING: Failed to
>>>> synchronize, error = 0x8024000B
>>>> 2010-01-03 21:09:34:562 1424 808 Agent * WARNING: Exit code =
>>>> 0x8024000B
> <snip>
>>>> 2010-01-03 21:09:34:906 1424 b30 Agent WARNING: WU client fails to call
>>>> back to search call {7A29DE6E-891E-4DFA-BFC3-7E7F33900655} with error
>>>> 0x8024000c
>


From: Shenan Stanley on
Chris Dupont wrote:
> It is true that in the past, i ran "hijackthis" software to show
> security breaches.
> In the past, i also had Norton Anti-Virus which i replaced with KAV
> since about 2 years. The subscription expired briefly a year ago
> for about 2 days.
> Any way to solve this ?

Did you ever run through my suggestions? All of them? In order?
Not skipping because you think you have done one of them
- repeating even if you *have* done one.

Reboot and logon as administrative user.

You should start with this (new):
http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039?OpenDocument&seg=hm&lg=en&ct=us

Reboot and logon as administrative user.

Also - do you have *any* third party firewalls? Is it part of your
antivirus? Even if so - uninstall it - I would say just to disable it,
but sometimes that is not enough. You've been working on this
a while. Ensure - if you remove a firewall - your windows xp
firewall is enabled and for now - set to have *no exceptions*.

Reboot and logon as administrative user.

Download, install, run, update and perform a full scan with the following
(freeware version):

SuperAntiSpyware
http://www.superantispyware.com/

Reboot and logon as administrative user.

Download, install, run, update and perform a full scan with the following
(freeware version):

MalwareBytes
http://www.malwarebytes.com/

Reboot and logon as administrative user.

Download and run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

You may find nothing, you may find only cookies, you may think it is a
waste of time - but if you do all this and report back here with what you
do/don't find as you are doing all of it - you are adding more pieces to
the puzzle and the entire picture just may become clearer and your
problem resolved.

You also should run a full CHKDSK and defragmentation.

Windows XP CHKDSK:
http://support.microsoft.com/kb/315265

Windows XP Defragmentation:
http://support.microsoft.com/kb/314848

Reboot and logon as administrative user.

Download/Install the latest Windows Installer (for your OS):
( Windows XP 32-bit : WindowsXP-KB942288-v3-x86.exe )
http://www.microsoft.com/downloadS/details.aspx?familyid=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en

Reboot and logon as administrative user.

Download the latest version of the Windows Update agent from here (x86):
http://go.microsoft.com/fwlink/?LinkID=91237
.... and save it to the root of your C:\ drive. After saving it to the
root of the C:\ drive, do the following:

Close all Internet Explorer windows and other applications.

Start button --> RUN and type in:
%SystemDrive%\windowsupdateagent30-x86.exe /WUFORCE
--> Click OK.

(If asked, select "Run.) --> Click on NEXT --> Select "I agree" and click on
NEXT --> When it finishes installing, click on "Finish"...

Reboot and logon as administrative user.

Continue by fixing your Windows Update system...

How do I reset Windows Update components?
http://support.microsoft.com/kb/971058

.... and click on the "Microsoft Fix it" icon. When asked, select "RUN",
both times. Check the "I agree" box and click on "Next". Check the box
for "Run aggressive options (not recommended)" and click "Next". Let
it finish up and follow the prompts until it is done. Close/exit and
reboot when it is.

Reboot and logon as administrative user.

Visit http://windowsupdate.microsoft.com/ in Internet Explorer and
select to do a CUSTOM scan...

Every time you are about to click on something while at these web pages -
first press and hold down the CTRL key while you click on it. You can
release the CTRL key after clicking each time.

Once the scan is done, select just _ONE_ of the high priority updates
(deselect any others) and install it.

Reboot again.

If it did work - try the web page again - selecting no more than 3-5 at a
time. Rebooting as needed.

The Optional Software updates are generally safe - although I recommend
against the "Windows Search" one and any of the "Office Live" ones or
"Windows Live" ones for now. I would completely avoid the
Optional Hardware updates. Also - I do not see any urgent need to
install Internet Explorer 8 at this time.

Then - when done - let everyone here know if it worked for you - or if
you have more issues.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


From: Chris Dupont on
Hello Shenan,

I allready did norton removal, superantispyware, malwarebytes and MSRT.
Results :

1) Norton removal tool : executed
2)Superantispyware : 700 threats which were under "Adware.Tracking Cookie"
3)Malwarebytes :
Infected Registry Keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302}
(Search.Hijacker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e}
(Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and
deleted successfully.


Now i will do the rest and report back here when it's done.

grtz,
Chris.


"Shenan Stanley" <newshelper(a)gmail.com> schreef in bericht
news:%23KhWWyajKHA.2780(a)TK2MSFTNGP05.phx.gbl...
> Chris Dupont wrote:
>> It is true that in the past, i ran "hijackthis" software to show
>> security breaches.
>> In the past, i also had Norton Anti-Virus which i replaced with KAV
>> since about 2 years. The subscription expired briefly a year ago
>> for about 2 days.
>> Any way to solve this ?
>
> Did you ever run through my suggestions? All of them? In order?
> Not skipping because you think you have done one of them
> - repeating even if you *have* done one.
>
> Reboot and logon as administrative user.
>
> You should start with this (new):
> http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039?OpenDocument&seg=hm&lg=en&ct=us
>
> Reboot and logon as administrative user.
>
> Also - do you have *any* third party firewalls? Is it part of your
> antivirus? Even if so - uninstall it - I would say just to disable it,
> but sometimes that is not enough. You've been working on this
> a while. Ensure - if you remove a firewall - your windows xp
> firewall is enabled and for now - set to have *no exceptions*.
>
> Reboot and logon as administrative user.
>
> Download, install, run, update and perform a full scan with the following
> (freeware version):
>
> SuperAntiSpyware
> http://www.superantispyware.com/
>
> Reboot and logon as administrative user.
>
> Download, install, run, update and perform a full scan with the following
> (freeware version):
>
> MalwareBytes
> http://www.malwarebytes.com/
>
> Reboot and logon as administrative user.
>
> Download and run the MSRT manually:
> http://www.microsoft.com/security/malwareremove/default.mspx
>
> You may find nothing, you may find only cookies, you may think it is a
> waste of time - but if you do all this and report back here with what you
> do/don't find as you are doing all of it - you are adding more pieces to
> the puzzle and the entire picture just may become clearer and your
> problem resolved.
>
> You also should run a full CHKDSK and defragmentation.
>
> Windows XP CHKDSK:
> http://support.microsoft.com/kb/315265
>
> Windows XP Defragmentation:
> http://support.microsoft.com/kb/314848
>
> Reboot and logon as administrative user.
>
> Download/Install the latest Windows Installer (for your OS):
> ( Windows XP 32-bit : WindowsXP-KB942288-v3-x86.exe )
> http://www.microsoft.com/downloadS/details.aspx?familyid=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en
>
> Reboot and logon as administrative user.
>
> Download the latest version of the Windows Update agent from here (x86):
> http://go.microsoft.com/fwlink/?LinkID=91237
> ... and save it to the root of your C:\ drive. After saving it to the
> root of the C:\ drive, do the following:
>
> Close all Internet Explorer windows and other applications.
>
> Start button --> RUN and type in:
> %SystemDrive%\windowsupdateagent30-x86.exe /WUFORCE
> --> Click OK.
>
> (If asked, select "Run.) --> Click on NEXT --> Select "I agree" and click
> on
> NEXT --> When it finishes installing, click on "Finish"...
>
> Reboot and logon as administrative user.
>
> Continue by fixing your Windows Update system...
>
> How do I reset Windows Update components?
> http://support.microsoft.com/kb/971058
>
> ... and click on the "Microsoft Fix it" icon. When asked, select "RUN",
> both times. Check the "I agree" box and click on "Next". Check the box
> for "Run aggressive options (not recommended)" and click "Next". Let
> it finish up and follow the prompts until it is done. Close/exit and
> reboot when it is.
>
> Reboot and logon as administrative user.
>
> Visit http://windowsupdate.microsoft.com/ in Internet Explorer and
> select to do a CUSTOM scan...
>
> Every time you are about to click on something while at these web pages -
> first press and hold down the CTRL key while you click on it. You can
> release the CTRL key after clicking each time.
>
> Once the scan is done, select just _ONE_ of the high priority updates
> (deselect any others) and install it.
>
> Reboot again.
>
> If it did work - try the web page again - selecting no more than 3-5 at a
> time. Rebooting as needed.
>
> The Optional Software updates are generally safe - although I recommend
> against the "Windows Search" one and any of the "Office Live" ones or
> "Windows Live" ones for now. I would completely avoid the
> Optional Hardware updates. Also - I do not see any urgent need to
> install Internet Explorer 8 at this time.
>
> Then - when done - let everyone here know if it worked for you - or if
> you have more issues.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>


From: PA Bear [MS MVP] on
> In the past, i also had Norton Anti-Virus which i replaced with KAV
> since about 2 years. The subscription expired briefly a year ago
> for about 2 days. Any way to solve this ?

Sure! Back-up any personal data (none of which should be considered 100%
trustworthy at this point) then do a format & clean install of Windows.
Please note that a Repair Install (AKA in-place upgrade) will NOT fix this!

HOW TO do a clean install of WinXP: See
http://michaelstevenstech.com/cleanxpinstall.html#steps and/or Method 1 in
http://support.microsoft.com/kb/978307

After the clean install, you'll have the equivalent of a "new computer" so
take care of everything on the following page before otherwise connecting
the machine to the internet or a network and before using a USB key that
isn't brand-new or hasn't been freshly formatted:

4 steps to help protect your new computer before you go online
http://www.microsoft.com/security/pypc.aspx

Other helpful references include:

HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
(after a clean install)
http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121c

HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
clean install)
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b

Tip: After getting the computer fully-patched, download/install KB971029
manually: http://support.microsoft.com/kb/971029

NB: Any Norton or McAfee free-trial that came preinstalled on the computer
when you bought it will be reinstalled (but invalid) when Windows is
reinstalled. You MUST uninstall the free-trial and download/run the
appropriate removal tool before installing any Windows Service Packs or IE
upgrades and before installing your new anti-virus application (e.g., KAV;
which will require WinXP SP3 to be installed).

Norton Removal Tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

McAfee Consumer Products Removal Tool
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Also see:

Steps To Help Prevent Spyware
http://www.microsoft.com/security/spyware/prevent.aspx

Steps to Help Prevent Computer Worms
http://www.microsoft.com/security/worms/prevent.aspx

Avoid Rogue Security Software!
http://www.microsoft.com/security/antivirus/rogue.aspx
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


Chris Dupont wrote:
> It is true that in the past, i ran "hijackthis" software to show security
> breaches.
> In the past, i also had Norton Anti-Virus which i replaced with KAV
> since about 2 years. The subscription expired briefly a year ago
> for about 2 days.
> Any way to solve this ?
>
>
>
> "PA Bear [MS MVP]" <PABearMVP(a)gmail.com> schreef in bericht
> news:eW4LcfajKHA.4912(a)TK2MSFTNGP02.phx.gbl...
>> This "smells" like the result of a hijackware infection. How long has
>> KAV
>> been installed? Has your subscription ever expired, however briefly?
>>
>> Has a Norton or McAfee application ever been installed on this machine
>> (e.g., a free-trial version that came preinstalled when you bought it)?
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Client - since 2002
>>
>>
>> Chris Dupont wrote:
>>> I've discovered that the problem is related to the fact that the Windows
>>> WMI-service can't be started.
>>> Also can't start 2 other services, cfr. Security center service and
>>> Windows
>>> firewall service.
>>> When trying to start WMI-service, I allways get the following error :
>>> "ERROR
>>> 126 : can't find module"
>>> So i executed the Microsoft WMIdiag.exe tool. In the log created by this
>>> tool, i found the following information.
>>> Can anyone help me with this ? Because i still don't understand what is
>>> exactly the cause of these problems.
>>>
>>> Info from tha WMidiag log :
>> <snip>
>>> BroMow wrote:
>>>> 0x8024000b means that the operation was cancelled.
>>>> The green bar scrolling endlessly is occurring because of
>>>> error 0x80080005
>>>>
>>>> 2010-01-03 21:09:34:390 1424 808 Agent WARNING: Failed to evaluate
>>>> Installed rule, updateId = {02FF0A91-FC2F-4218-AAF5-D28FDD327581}.105,
>>>> hr
>>>> = 80080005
>>>>
>>>> Either there's corruption in the CatRoot2 subfolder or the winsock
>>>> stack
>>>> is damaged.
>>>>
>>>> First, suggest you do a clean boot of XP and see if it can search for
>>>> updates while in the clean boot state:
>>>>
>>>> How to configure Windows XP to start in a "clean boot" state
>>>> http://support.microsoft.com/kb/310353
>>>>
>>>> If the system can search for updates, then the issue is being caused by
>>>> 'something' that Kaspersky has done or is doing.
>>>>
>>>> If the system can not search for updates, while still in the clean boot
>>>> state, open a Command Prompt ( Start > Run > type in cmd > click OK )
>>>> At the prompt, type in the following commands, pressing Enter after
>>>> *each*
>>>> one
>>>>
>>>> netsh winsock reset
>>>> exit
>>>>
>>>> After the first command is entered you'll get a message stating the
>>>> system
>>>> must be restarted. Enter the second command, which will close the
>>>> Command
>>>> Prompt window, and then restart the system.
>>>> Check once more to see if it can search for updates.
>>>>
>>>> If it still can not, please run the following from Start > Run
>>>> type in sigverif.exe > click OK
>>>> Click Advanced
>>>> Click 'Notify me if any system files are not signed'
>>>> On the Logging tab, make sure the 'Save the file signature
>>>> verification results to a log file' check box is selected
>>>> Name the log SigVerif.txt and click OK
>>>> Click Start
>>>>
>>>> When the tool is done running, copy and paste it into your reply
>>>> please,
>>>> Chris.
>>>>
>>>> Also, please copy and paste the last 50 or so lines of the
>>>> WindowsUpdate.log along with the SigVerif.txt.
>>>> What we're looking for is the Version of the Windows Update Agent,
>>>> which
>>>> will look like this in the WU.log:
>>>>
>>>> 2010-01-04 07:40:50:162 980 910 Misc =========== Logging initialized
>>>> (build: 7.4.7600.226
>>>>
>>>> How to read the Windowsupdate.log file
>>>> http://support.microsoft.com/kb/902093
>>>> Chris Dupont wrote:
>>>>> When trying to update via the windows update site, the green bar bar
>>>>> just keeps on scrolling endlessly....
>>>>>
>>>>> I found the following info in my windowsupdate.log (does anyone has
>>>>> any
>>>>> idea what might be the problem here?) :
>>>>>
>>>>>
>>>>> 2010-01-03 21:09:34:390 1424 808 Agent WARNING: Failed to evaluate
>>>>> Installed rule, updateId = {02FF0A91-FC2F-4218-AAF5-D28FDD327581}.105,
>>>>> hr
>>>>> = 80080005
>>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING:
>>>>> CAgentUpdateManager::DetectForUpdates failed: 0x8024000b
>>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING: Sync of Updates:
>>>>> 0x8024000b
>>>>> 2010-01-03 21:09:34:390 1424 808 PT WARNING: SyncServerUpdatesInternal
>>>>> failed: 0x8024000b
>>>>> 2010-01-03 21:09:34:390 1424 808 Agent * WARNING: Failed to
>>>>> synchronize, error = 0x8024000B
>>>>> 2010-01-03 21:09:34:562 1424 808 Agent * WARNING: Exit code =
>>>>> 0x8024000B
>> <snip>
>>>>> 2010-01-03 21:09:34:906 1424 b30 Agent WARNING: WU client fails to
>>>>> call
>>>>> back to search call {7A29DE6E-891E-4DFA-BFC3-7E7F33900655} with error
>>>>> 0x8024000c