Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

N

NemesisDB

7.9K Posts

7268

August 13th, 2010 11:00

Windows Update Fails (Vista, Error 80080005) / Windows Modules Installer Service Cannot Start

I am attempting to fix a family member's HP laptop.  Windows Vista Home Premium SP2 cannot currently check for Windows Updates or install any such updates that are manually downloaded.  The computer has Kaspersky Internet Security 9.0.0.736 installed.  It does not report any current threats (for what that's worth).  The AV was disabled at the time of the HJT scan.

The last truely successful Windows Updates appears to have been from April 2010, judging from the update history.  Since that time, KB979683 has been reinstalled several more times (as recently as a few days ago).

When I attempt to check for new updates, I receive an error code of 80080005 "Windows Update encountered an Unknown Error."  I have tried both Windows and Microsoft Update.  Updates downloaded manually also fail.  From my own troubleshooting (along with some help from google), I noticed that the Windows Modules Installer Service could not be started.  Attempting to manually start the service results in "Error 126: The specified module could not be found."

I noted that the Windows Installer Service was effectively TrustedInstaller.exe.  I attempted to start the program manually with process monitor enabled.  I used the default filters and also filtered for process equal to TrustedInstaller.exe.  I would attach the results but they are too large for this forum and dell does not like the file type.  If anyone would like to see them, please PM me an email address or tell me a better place to host (they are around 1mb, or 120k zipped).  Of note, towards the end, there was a path not found error for C:\Windows\servicing\0.0.0.1\cbscore.dll .  I found one other poor soul with this problem on MS forums, but the replies did not seem helpful.

HP did not provide me with physical media.  All I can do is restore from a hidden HD partition (which would wipe all data).  I have OEM Dell Vista media if that would be helpful.

At the end of the day, this problem may not be malware, but I would like to rule it out.  Along the way, if anyone has a solution to the problem, that would be great as well.

HJT Log Follows:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:59:40 AM, on 8/13/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClockLauncher.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Update Service (gupdate1c9a45adccb2256) (gupdate1c9a45adccb2256) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8786 bytes

 

NemesisDB

7.9K Posts

August 17th, 2010 13:00

I will run the scan after I post this.  In answer to your question, it looks like the current version of kaspersky was installed on 11/26/2009 .  The subscription apparently expired a few weeks ago, and it has not been updated since that time (kaspersky will not show me the definition dates).  A new subscription was recently purchased, but it would be preferable to the owners to wait a few days to activate it (as one of their other computers has several days on the license still remaining and it's a three-pack).

Quarantine Log:

2010-08-17 16:05:01 . 2010-08-17 16:05:01            1,204 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_MEMSWEEP2.reg.dat
2010-08-17 16:05:01 . 2010-08-17 16:05:01            1,144 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_KEONWFGIX.reg.dat
2010-08-17 16:05:01 . 2010-08-17 16:05:01            1,054 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Legacy_MEMSWEEP2.reg.dat
2010-08-15 21:26:40 . 2010-08-17 15:54:25            1,347 ----a-w-  C:\Qoobox\Quarantine\catchme.txt
2010-08-15 15:26:57 . 2010-08-15 15:26:57              140 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-WinampAgent.reg.dat
2010-08-15 15:26:56 . 2010-08-15 15:26:56              144 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-RMClock.reg.dat
2010-08-15 15:26:56 . 2010-08-15 15:26:56              164 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-HPAdvisor.reg.dat
2010-08-15 15:10:01 . 2010-08-15 15:10:01              822 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Legacy_PROCEXP141.reg.dat
2010-08-15 15:09:32 . 2010-08-17 16:04:32            6,491 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-08-15 14:56:22 . 2010-08-17 15:54:22              401 ----a-w-  C:\Qoobox\Quarantine\catchme.log

NemesisDB

7.9K Posts

August 17th, 2010 15:00

Scan is complete (just under 2 hours to run).  No threats were detected.   Do you see any benefit to running FixIt 50202 again (http://support.microsoft.com/kb/971058), assuming that we're done cleaning?  I ran it before starting this thread without any luck.

Any other thoughts on how to fix windows update?

NemesisDB

7.9K Posts

August 17th, 2010 16:00

K27, thanks again for your help throughout all of this.  If you don't think it's malware, and don't have any other ideas about how to fix the problem, then I suppose a reinstall is in order.  I should probably note that SFC fails as well, as it too depends on the Windows Modules Installer service.  I made a backup of this system many, many, many months ago (last time i was in town) ...  think I'd have any luck turning UAC off and copying system files over?

kevin27_b3d29f

1.5K Posts

August 17th, 2010 16:00

In all honesty, I do not think this is malware related.

Give the MS Fix a try, its not going to hurt.

Before running the MS fix, download and run CCleaner, I will post the instructions for you in case it is not installed on the system, then run the MS Fix, if the updates still fail after that then try booting into safe mode using the F8 method and boot to Safe Mode With Networking. Try running Windows update from there and see how it goes.

 

 

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:

  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

kevin27_b3d29f

1.5K Posts

August 17th, 2010 23:00

Hi NemesisDB,

I take it that running Windows Update in Safe Mode was a no go?

If you could get SCF to work, you would need a Vista disk for it to replace any missing/corrupt files that it needed to replace, I'm sure I remember you saying you did not have one.

I'll be totally honest here, option's one and two below, I found via google, option three just seems like the next logical step rather than doing a full R&R.

I'm am more than happy to continue to trouble shoot with you on this but it may take a bit of time to find a soloution, there are a lot of people far wiser than me when it comes to how Windows works, if you prefer you can post in the "Software and OS" forum, the techs in there may be able to help better than I ever could. Your call, if you do decide to seek expert help, please let me know as we have to remove the tools we used and do some general housekeeping first. Please do not just delete the tools as there are certain ways that they need to be done.

There are a few things you could try,

1) Go to this MS web site http://support.microsoft.com/kb/949104 and download and run the Windows Update Agent, it may just be enough to get you going.

2) Check the C:Windows\System32 folder for a file called winhttp.dll, apparently, if this file is missing, you will get the error code you are receiving.

2) Two if you do have your Windows Media, try a Repair Install, you will not lose any file's/Programs/Data but it may be enough to get the Updates working

Hope this was of some help,

Thanks,
K27.

NemesisDB

7.9K Posts

August 18th, 2010 11:00

K27,

I want to start off by thanking you again for all of your help with this issue.  You and this forum do great work.  Unfortunately, in this case, I decided to just bite the bullet and do a factory restore.  I had previously tried to install the new windows agent, but unfortunately the install process requires the broken service (as nearly every MS download seems to do).  I did have the winhttp.dll file and its checksum was correct from what I could tell.  Lastly, I only had Dell OEM media and wasn't sure if that would have fixed the problem (or if there might be activation issues) -- while the reinstall path is longer (and installing SP1 and 2 took hours), I think I should end up with a better result in the end.

Thanks again.

kevin27_b3d29f

1.5K Posts

August 18th, 2010 13:00

Hi NemesisDB,

Sometimes it is quicker to just R&R. Thank you for letting me know. I will post my standard general "prevention" speech, you may very well know most of this but it never hurts.

 

Now some advice on how to surf safe in the future.

ALWAYS keep all programs on your PC up to date and this especially means your Anti-Virus/Anti-Spyware/Firewall/Java and Adobe programs.
They can all be found via the "All Programs" feature in the start menu and if opened will 100% have a update feature somewhere.
NEVER use more than ONE Anti-Virus program,
NEVER use more than ONE resident Full time Anti-Spyware program,
NEVER use more than ONE Software Firewall,



As more than one of each of these will conflict with each other and leave you just as vunrable as not having them.
You can get some VERY GOOD FREE ones from HERE

Its always a good idea to back these up with SpywareBlaster as this will run in the background and not conflict with any of your other Security.

Also give WinPatrol a try as it is a very good program that will inform you of any changes being made to your system in the same way that User Account Control does but better, (DO NOT switch off UAC if you install WinPatrol, it is still very much needed)

Research and consider using a HARDWARE Firewall as this will provide a very good extra layer of protection.

Scan with each piece of your security Daily and at the very least two daily.
Always keep a few on-demand scanners on your machine and use them every other day, such as,

  • Malwarebytes Anti-Malware(consider perchusing the paid version for £25 for a lifetimes use and a very good piece of kit to have running on your machine)
  • Spybot Search&Destroy (DO NOT install the Tea Timer Function)
  • Ad-Aware (Again DO NOT install the resident scanner)

 

If you use IE then consider using a more secure browser such as FireFox or Opera

Install all the latest Windows updates from HERE
or by clicking start>all programs>Windows update, and keep going back and doing these untill you have all the avalible updates untill none are showing.
Its a good idea to set Windows Update to automatic so as not to miss any Important updates.


Always you a site advisor such as WOT to confirm the sites you are using are really the sites they say they are.
There is a version of WOT avalible for both IE and FIreFox.

 

Every so often (two weeks- 1 month) it would be a good idea to run this free online Security Test called Secunia, which will test all the programs on your system for security vunralbilities. Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.

You will also see a process indicator that looks like this:process.gif
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section.
You will have a link next to all the programs on you system that need updating, please install these updates one by one until no more are showing.

 

And please read these links for adivce on Computer Security:
So how did I get infected in the first place by Tony Klein
Do's and Don't's of Security Programs
Anti-Virus Programs Explained


If you have any other questions then please fill free to post back,
I will mark this thread as solved tomorrow,

Safe Surfing,
K27.

kevin27_b3d29f

1.5K Posts

August 19th, 2010 07:00

This topic is Resolved.....

The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.

All other user's, please read THIS page and then please start a New Topic at the top of the Malware Removal Forum by clicking the DCFnewpost.png button.

Regards
K27

Nathan.MacNeil

5 Posts

October 19th, 2010 17:00

{$content}


Now I understand more about it, Thanks for your explanation!

View More

View All

No Events found!

Top