Today I ran into a problem while repairing a computer that had a partially cleaned up virus. I completed the cleanup that my client attempted, ran all my antivirus tools, and thought I had everything working. That is, until I noticed the little red shield for Windows Security Center. It said, “We’re Sorry. The Security Center could not change your Automatic Updates settings.”

I then tried to turn the updates on in the Automatic Updates settings, but they were already turned on and enabled.

Next, I wanted to see if I could just run Windows Update. It, however, fails immediately if you try to run Express, and gives me Error number: 0×80070424. (below)

So… we have this problem. We can’t run or enable updates in Windows XP. They show enabled, but Security Center think otherwise.

Ok, so let’s fix this. First, make sure you’ve cleaned up any viruses. Once you are sure you are working on a clean system, then try the fixes below.

We need to create at least one batch file (below) and re-register all the components.

Step 1:

Let’s try this one first. Create a file called reg-wu1.bat. (call it whatever you want though, it doesn’t matter.) Copy the text below and paste it into the file. NOTE: you may need to enable file extensions in Windows Explorer so you can rename it to a “.bat” file.

regsvr32 c:\windows\system32\vbscript.dll
regsvr32 c:\windows\system32\mshtml.dll
regsvr32 c:\windows\system32\msjava.dll
regsvr32 c:\windows\system32\jscript.dll
regsvr32 c:\windows\system32\msxml.dll
regsvr32 c:\windows\system32\actxprxy.dll
regsvr32 c:\windows\system32\shdocvw.dll

It should look like this:

Save the file and double click to run it. A DOS box will pop up and execute all the commands. You’ll get several “Succeeded” messages that you need to click “OK” on. Shown below, I received 1 or 2 that didn’t succeed:

I ran the above, attempted to run Windows Update again, but still received the error. Maybe it will work for you though. If not, try Step 2.

Step 2:

Then I created another batch file and called it reg-wu2.bat and pasted the text below into it:

regsvr32 /s Softpub.dll 
regsvr32 /s Mssip32.dll 
regsvr32 /s Initpki.dll
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
regsvr32 Urlmon.dll
regsvr32 Shdocvw.dll 
regsvr32 Msjava.dll 
regsvr32 Actxprxy.dll 
regsvr32 Oleaut32.dll 
regsvr32 Mshtml.dll 
regsvr32 msxml.dll
regsvr32 msxml2.dll
regsvr32 msxml3.dll
regsvr32 Browseui.dll
regsvr32 shell32.dll
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wuweb.dll
regsvr32 jscript.dll
regsvr32 atl.dll 
regsvr32 Mssip32.dll

Should look like the image below:

Again, as you did in step 1 above, save the file and double click to run it. A DOS box will pop up and execute all the commands. You’ll get several “Succeeded” messages that you need to click “OK” on. I receive 1 or 2 that didn’t succeed:

Here are one of the messages that did not succeed on this system:

Once this operation was complete, I went to Windows Update again and attempted to run the Express setup. EVERYTHING WORKED!!! YAY!! Even the Security Center showed updates were enabled and turned on again!

If you need further help, I found some of these repairs on the Microsoft Knowledge base article link below.

http://support.microsoft.com/kb/555989

Good luck!

Quick note about using chntpw command to reset Windows passwords. Mostly, I just couldn’t remember what the command line program was or the switches.

Boot to System Rescue CD.
mount the Windows drive RW (mine was RO)
cd to the config dir: cd /mnt/sda1/Windows/System32/config
Backup your sam,security,system,software (just copy them to another directory)

Now run this to list user while in the config directory:
chntpw -l ./sam

And this will run in interactive mode and ask you which user to edit the password.
chntpw -i ./sam

Chntpw can also edit your registry. One time it really saved the day when I was locked out of a computer and something was causing boot to fail. This made it pretty quick to edit the registry in a way that allowed me access to the system again. (then we proceeded to run a bunch of antivirus checks)  By the way, this worked for me on Windows XP and Windows 7.

Great tool!

MsMpEng.exe – Antimalware service executable

I generally do not have any issues with Microsoft Security Essentials. It just works, and does its job quite well.  From time to time I notice some weird issues on my client computers, where MsMpEng.exe (Antimalware service executable) is using way too many and high resources and cpu time. (extra large amounts of memory and cpu time may even be 100%)

I had an original post here which may solve your issue as well:
http://www.1stbyte.com/2010/02/01/microsoft-security-essentials-msmpeng-exe-using-high-cpu-time/

That post says to exclude some directories from your scanning.  I have since found that, in the newer version of Microsoft Security Essentials, there are some options that have also helped.  We mainly want to tell MSSE that we only want to scan if the computer is not in use.  I also set to Limut CPU usage.

Check this option in the MSSE Settings tab, under Scheduled Scan:

“Start the scheduled scan only when my computer is on but not in use”

Open Microsoft Security Essentials and go to the Settings tab (shown below):

Next, in the Scheduled Scan settings on the left menu, look at the right side options and check the option box to only scan when my computer is not in use:

Security Essentials Settings - Make sure to Check this box

And last, save your changes:

Save your changes in Security Essentials

I have tried this setting, and it does help.  But read my other post too, if this doesn’t help, maybe give that other option a shot.  Good luck!

Had a fun time today cleaning off some trojans and rootkits.  On this one client system, while trying to go online, the Internet  turned into the Inertnet! (Hahahha! I love that one!)  As usual, I have lots of ideas why, but no real evidence and clients saying “I don’t know how it got there.”  Doesn’t really matter though, it’s there and I am going to clean it off.  I managed to easily scan for and clean off a couple of them, but one would’t detect with any scanner.  AV.exe kept popping up, showing the fake windows security center and Antivirus 2010.  I used Process Explorer to see the offender, but I couldn’t find the file, it was hidden.

I rebooted with UBCD4Win, found the file and deleted it.  Problem is, this caused a mess in Windows. Nothing would load, I always got a “Open With” dialog box.  After some Googling, I found out where to fix that in HKCR in the registry.  In there, there was a setting for .exe files to open, and it was set to use av.exe in the user profile to open them!  How do you like that?!!

I wasn’t able to fix that in the current user profile, it was locked down somehow.  Opening in the Administrator account of XP allowed me to fix it though.  The default value for “exefile” should be set to:

“%1″ %*

(Just google that for more info.)

Ok, so got that all fixed.  Fun how you clean off these bugs, only to leave windows all messed up after!  Next, did all my final scans, tweaks and other items. (lock down IE, disable scripts/Flash/Adobe, add a windows update to Trusted Sites, and force user to use Firefox.  I also changed the icon on Firefox to the one for IE so the user will pretty much always use it!)  Then I tried to get all the updates caught up, only no go!  Wait, I am on the same Internet connection as my system, and it works for me, why not the client system?  Hmm… well they are on an isolated subnet, going through the firewall separately. (keeps their bugs off my systems!)  But, wait, those are the same DNS settings?

AH! Take a look at those NIC properties in XP.  DNS is hard set to 93.188.x.x!  Nslookup shows that as some place at a .com.ua domain. Well, let’s fix that one, and set to DHCP like it should be!  Problem solved, Windows Update works!

Fun stuff!  I’ve cleaned a lot of bugs over the years, and I’ve heard of DNS hijacking, but that’s the first one I’ve seen like that.

I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.