SP3 problems on 10 systems using Escan A/V from Micro World Technologies

[Bob Aubry]

We have received calls on 10 systems starting last Thursday that we believe
relate to XP SP3:
1. All systems had Auto Update turned on and we think all had IE 7
2. The symptoms include Start bar minimized, cant see anything in Local
Network connection, cant cut/paste, IE opens and closes.
3. We see that many normal services are not properly started on these
systems and cant start them, they need other serices...
4. System Restore does not work, says "restart your system and try again"
you get the same results
The common thread is all have escan A/V installed.
We have contacted www.mwti.com and they have seen similar problems,
recommended uninstall kb947864 and restoring a backup of HKLMSY.reg (a
registry system backup that escan makes if it updates the registry).
We were not able to import this file on the system wre tried...We are really
trying to avoid backup of app data and reformatting these and reinstalling
XP and the apps....
We have a case open with Msft, but so far, no help, they are calling
tomorrow.
Any ideas or similar symptoms?
Thanks in advance..

 

[Kayman]

We have received calls on 10 systems starting last Thursday that we believe
relate to XP SP3:
1. All systems had Auto Update turned on and we think all had IE 7
2. The symptoms include Start bar minimized, cant see anything in Local
Network connection, cant cut/paste, IE opens and closes.
3. We see that many normal services are not properly started on these
systems and cant start them, they need other serices...
4. System Restore does not work, says "restart your system and try again"
you get the same results
The common thread is all have escan A/V installed.
We have contacted www.mwti.com and they have seen similar problems,
recommended uninstall kb947864 and restoring a backup of HKLMSY.reg (a
registry system backup that escan makes if it updates the registry).
We were not able to import this file on the system wre tried...We are really
trying to avoid backup of app data and reformatting these and reinstalling
XP and the apps....
We have a case open with Msft, but so far, no help, they are calling
tomorrow.
Any ideas

How to remove Windows XP Service Pack 3 from your computer
http://support.microsoft.com/kb/950249

Things to do prior downloadin/installing SP3.
1.Make an Image backup of the hard drive/Windows Partition before you
install SP3
2.Test your System Restore to see if it is working correctly.
3.Make absolutely sure the machine's free of any hijackware, Trojan, or
virus infections before installing SP3.
4.Run Disk Cleanup then run a Defrag session before installing SP3.
5.Disable all real-time protections (anti-virus; anti-spyware;third-party
firewall) before downloading/installing SP3.
6.Reboot twice after installing SP3.
7.Run another Defrag.

Detailed (must-read) information:
Windows XP SP3 - Read all prerequisites for a successful installation
http://msmvps.com/blogs/harrywaldro...requisites-for-a-successful-installation.aspx

Windows XP Service Pack 3 Overview
http://www.microsoft.com/downloads/...ad-bc34-40be-8d85-6bb4f56f5110&displaylang=en

Release Notes for Windows XP Service Pack 3
http://support.microsoft.com/kb/936929
http://download.microsoft.com/download/c/d/8/cd8cc719-7d5a-40d3-a802-e4057aa8c631/relnotes.htm
http://www.microsoft.com/downloads/...8969-4ddf-beb2-8bfac9ed416b&displaylang=en&tm

The hard disk space requirements for Windows XP Service Pack 3
http://support.microsoft.com/kb/947311

Some third-party programs may experience a change in functionality after
you install Windows XP Service Pack 3
http://support.microsoft.com/kb/947309

Steps to take before you install Windows XP Service Pack 3
http://support.microsoft.com/kb/950717

How to obtain the latest Windows XP service pack
http://support.microsoft.com/kb/322389

Create an Automated System Recovery set using Backup
http://technet2.microsoft.com/windo...259b-4d55-98f9-12dbc4eb06311033.mspx?mfr=true

How to Set up and Use Automated System Recovery in Windows XP
http://technet.microsoft.com/en-us/library/bb456980.aspx

Installing Windows XP Service Pack 3 (SP3)
http://technet.microsoft.com/en-us/windowsxp/cc164204.aspx

Windows XP Service Pack 3 - ISO-9660 CD Image File:
http://www.microsoft.com/downloads/...CE-B5FB-4488-8C50-FE22559D164E&displaylang=en

Windows XP Service Pack 3 Network Installation Package for IT Professionals
and Developers
(Single installations for PCs can use the same file)
http://www.microsoft.com/downloads/...A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Recover from a system failure using Automated System Recovery
http://technet2.microsoft.com/windo...50b7-4b14-a2fd-0155d6b174f91033.mspx?mfr=true

Error message when you try to install Windows XP Service Pack 3: "Access is
denied" or "Service Pack installation did not complete"
http://support.microsoft.com/kb/949377

If you don't like the answers provided here go to:
Use this forum for all issues related to Windows XP SP3
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=2010&SiteID=17

 

[MowGreen [MVP]]

The corrupted reg entries were caused by NIS or other Norton 'products'
actively monitoring the system during the application of SP3.

Bob clearly states that the installed AV is Escan. The registry subkey
you posted is clearly related to Norton's CCProxy.
What makes you think the solution to the 'Norton' issue is applicable
here since Bob also stated that MicroWorld advised him to uninstall
KB947864 ?

@ Bob: Was Escan actively monitoring the systems when SP3 was applied ?

Were the issues occurring after the application of SP3 or, did the
issues start occurring after the installation of KB947864?

Was IE7 installed PRIOR to SP3 being applied ?
Can you attach or post the reg file MW provided ?


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Bob Aubry]

MowGreen:
Well, we now have a count up to 12 systems INCLUDING a W2003 advanced
Server. We have not yet been successful at "cleaning" or repairing any of
them, we have backed up the Profiles, other key data files etc. On several,
the client could not locate the original CD's so we booted with Bart and ran
a Belarc to record the key data, then reformatted and re-installed ALL and
put the Profile back in....that worked and maybe 5 will be done today with 2
techs on it...not good.
Here are some of today's findings and specuations:
1. Registry corruption in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R
oot\LEGACY XXX
We have searched these and found NO corruption at all, not to say its not
there, we have not found it.
2. Registry restores suggested by MWTI...
Escan did create zip files of these for 1 system we have here and when we
Import the HKLMRT.reg, HKLMSY.reg, or HKLMSW.reg they import, but do not
complete both in normal boot and Safe mode.
3. Services not started properly
We manually started every service possible and still no help. We clearly see
many Auto services that are not started that should be and cant get them
going since we cant see properties for their dependencies...
4. Msft Support down to an XP "repair" install
We started this about 2 hours ago on a portable after backing it up. This is
not a "recover" and its stuck with 28 mins to go for the last hour, so not
optimistic on this working.
5. MWTI escan help
The ONLY common thing with ALL systems was Updates set to Auto and Escan A/V
installed and active when the update took place.
6. Last Updates on ALL systems appear to be KB950749 Jet update on 05/14/08
and uninstalling this does not remove it on our system, but MWTI says this
did help another person with same symptoms.
Here are the answers to your questions:
1. @ Bob: Was Escan actively monitoring the systems when SP3 was applied ?
Yes, we assume it was active during the Auto Update process
2. > Were the issues occurring after the application of SP3 or, did the

issues start occurring after the installation of KB947864?

We believe MWTI was mislead by KB947864, this is showing 04/09/08 long
before the problems. Also, SP3 shows no evidence of being installed at all
on any systems, so we have been "presuming" that it was auto installed, and
that may be true, but we do know
KB950749 WAS installed 05/14/08 and thats when the systems had problems. And
with the W2003 Server now in,
we are thinking it may NOT be SP3 but something else...like 950749 and Escan
.....
3. > Was IE7 installed PRIOR to SP3 being applied ?

Can you attach or post the reg file MW provided ?

We know that IE 7 was installed on these system well ahead of SP3. The
HKLMSY.reg files are specific to each system and I have them from 1 of the
systems, its 14MB unzipped....
Thanks for the help!!!
--
Bob Aubry
Main Street Software, Inc.
email (e-mail address removed)
voice (717) 898-2946
Sage/ACCPAC Manufacturing and Job Cost Certified

The corrupted reg entries were caused by NIS or other Norton 'products'
actively monitoring the system during the application of SP3.

Bob clearly states that the installed AV is Escan. The registry subkey you
posted is clearly related to Norton's CCProxy.
What makes you think the solution to the 'Norton' issue is applicable here
since Bob also stated that MicroWorld advised him to uninstall
KB947864 ?

@ Bob: Was Escan actively monitoring the systems when SP3 was applied ?

Were the issues occurring after the application of SP3 or, did the issues
start occurring after the installation of KB947864?

Was IE7 installed PRIOR to SP3 being applied ?
Can you attach or post the reg file MW provided ?


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Hello Bob


I had seen an almost similar problem when I pushed SP3 thru SMS...My
device manger went blank..,My IE would crash though I cud cut n
paste...

Though I allready posted the solution in this forum too and it did work
fine for the others tooo...I"ll paste it again here and u see if it
helps..We need to delete the corrupted registries..

Start>Run>Regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_CCPROXY

All the corrupt entries (begining with $%& ) Make sure you take a backup
of ur keys before proceeding and if
possible compare it with a working XP Machine...

If this is not the case ..try downloading regmon from sysinternals.com
and run it..try running ur failed applications to see the registry they
are going thru...and compare them with a working machine..


Hope this works!!


Regards


Fazal

 

[MowGreen [MVP]]

Bob,

Not good practice. One should totally disable Escan prior to applying SP3.

We believe MWTI was mislead by KB947864, this is showing 04/09/08 long
before the problems. Also, SP3 shows no evidence of being installed at all
on any systems, so we have been "presuming" that it was auto installed, and
that may be true, but we do know
KB950749 WAS installed 05/14/08 and thats when the systems had problems. And
with the W2003 Server now in,
we are thinking it may NOT be SP3 but something else...like 950749 and Escan

If Escan's functions are related to the files updated by KB950749, then
that *may* be the cause of the issues. You'll have to ask MW if Escan
has any dependencies with the MSJet Database Engine.

You can check to see if SP3 has installed on the desktops by using
winver or look in Add/Remove Programs to see if it's listed.
AFAIK, SP3 is NOT coming down automatically via Automatic Updates yet.

Is there a WSUS server distrbuting updates to client desktops ?

All of the issues you describe 'sound' as if they were caused by
registry corruption caused by Escan actively monitoring the system when
SP3 was applied.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Bob Aubry]

MowGreen:
Thanks for the ideas, we are discussing this with MWTI tomorrow. We agree
that all A/V should be off when installing SP's and even
Security fixes...we always set updates to Download but let me install....and
our more progressive customers are on Managed Services where
we completely control that process via Kaseya. But, these were "random"
systems most of which we inherited and did not originally sell/install
so they had Auto update on.
We know its NOT an SP3 problem since Auto Update does not install SP3 and no
user did so.
We are strongly thinking that something with Msft Jet4 (and all the other
parts/pieces .NET XX, etc) update was interfered with by escan, yet
we and MWTI can not find any reg corruption...
Its been complete non-productivity costing out clients and us
thousands...now we will REALLY push for Acronis image workstation backups
regularly to a NAS...much faster recovery.
Thanks for the thoughts and let me know if you find anything else.
Bob A

Bob,

Not good practice. One should totally disable Escan prior to applying SP3.

We believe MWTI was mislead by KB947864, this is showing 04/09/08 long
before the problems. Also, SP3 shows no evidence of being installed at
all on any systems, so we have been "presuming" that it was auto
installed, and that may be true, but we do know
KB950749 WAS installed 05/14/08 and thats when the systems had problems.
And with the W2003 Server now in,
we are thinking it may NOT be SP3 but something else...like 950749 and
Escan

If Escan's functions are related to the files updated by KB950749, then
that *may* be the cause of the issues. You'll have to ask MW if Escan has
any dependencies with the MSJet Database Engine.

You can check to see if SP3 has installed on the desktops by using winver
or look in Add/Remove Programs to see if it's listed.
AFAIK, SP3 is NOT coming down automatically via Automatic Updates yet.

Is there a WSUS server distrbuting updates to client desktops ?

All of the issues you describe 'sound' as if they were caused by registry
corruption caused by Escan actively monitoring the system when SP3 was
applied.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

MowGreen:
Well, we now have a count up to 12 systems INCLUDING a W2003 advanced
Server. We have not yet been successful at "cleaning" or repairing any of
them, we have backed up the Profiles, other key data files etc. On
several, the client could not locate the original CD's so we booted with
Bart and ran a Belarc to record the key data, then reformatted and
re-installed ALL and put the Profile back in....that worked and maybe 5
will be done today with 2 techs on it...not good.
Here are some of today's findings and specuations:
1. Registry corruption in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY XXX
We have searched these and found NO corruption at all, not to say its not
there, we have not found it.
2. Registry restores suggested by MWTI...
Escan did create zip files of these for 1 system we have here and when we
Import the HKLMRT.reg, HKLMSY.reg, or HKLMSW.reg they import, but do not
complete both in normal boot and Safe mode.
3. Services not started properly
We manually started every service possible and still no help. We clearly
see many Auto services that are not started that should be and cant get
them going since we cant see properties for their dependencies...
4. Msft Support down to an XP "repair" install
We started this about 2 hours ago on a portable after backing it up. This
is not a "recover" and its stuck with 28 mins to go for the last hour, so
not optimistic on this working.
5. MWTI escan help
The ONLY common thing with ALL systems was Updates set to Auto and Escan
A/V installed and active when the update took place.
6. Last Updates on ALL systems appear to be KB950749 Jet update on
05/14/08 and uninstalling this does not remove it on our system, but MWTI
says this did help another person with same symptoms.
Here are the answers to your questions:
1. @ Bob: Was Escan actively monitoring the systems when SP3 was applied
?
Yes, we assume it was active during the Auto Update process
2. > Were the issues occurring after the application of SP3 or, did the


We believe MWTI was mislead by KB947864, this is showing 04/09/08 long
before the problems. Also, SP3 shows no evidence of being installed at
all on any systems, so we have been "presuming" that it was auto
installed, and that may be true, but we do know
KB950749 WAS installed 05/14/08 and thats when the systems had problems.
And with the W2003 Server now in,
we are thinking it may NOT be SP3 but something else...like 950749 and
Escan ....
3. > Was IE7 installed PRIOR to SP3 being applied ?


We know that IE 7 was installed on these system well ahead of SP3. The
HKLMSY.reg files are specific to each system and I have them from 1 of
the systems, its 14MB unzipped....
Thanks for the help!!!

 

[Bob Aubry]

MowGreen:
Well, Microworld called today and said check \system32 for missing
spoolsv.exe and svchost.exe and sure enough, these were missing on 1 XP SP2
system and 1 W2003 server.
We copied them from known good systems, rebooted and low and behold,
everything looks like its ok. We saved the server and a COMPLEX XP system
from a dentist with a video capture board running to a special calibrated
camera for LAST, hoping for some resolution, and this seems to be it. MWTI
also said to restore the system registry, but we have not needed that so far
and they said Uninstall KB 950749 and 947864, and we have not done that yet
either.
We are taking these back to the client locations and if they work ok, great,
otherwise we will
pull the KB's.
So, it looks like auto-update of 950749 with Escan running deleted these 2
critical files...
no registry corruption like the Norton issues, but similar symptoms.
Thx for listening!
--
Bob Aubry
Main Street Software, Inc.
email (e-mail address removed)
voice (717) 898-2946
Sage/ACCPAC Manufacturing and Job Cost Certified

Bob,

Not good practice. One should totally disable Escan prior to applying SP3.

We believe MWTI was mislead by KB947864, this is showing 04/09/08 long
before the problems. Also, SP3 shows no evidence of being installed at
all on any systems, so we have been "presuming" that it was auto
installed, and that may be true, but we do know
KB950749 WAS installed 05/14/08 and thats when the systems had problems.
And with the W2003 Server now in,
we are thinking it may NOT be SP3 but something else...like 950749 and
Escan

If Escan's functions are related to the files updated by KB950749, then
that *may* be the cause of the issues. You'll have to ask MW if Escan has
any dependencies with the MSJet Database Engine.

You can check to see if SP3 has installed on the desktops by using winver
or look in Add/Remove Programs to see if it's listed.
AFAIK, SP3 is NOT coming down automatically via Automatic Updates yet.

Is there a WSUS server distrbuting updates to client desktops ?

All of the issues you describe 'sound' as if they were caused by registry
corruption caused by Escan actively monitoring the system when SP3 was
applied.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

MowGreen:
Well, we now have a count up to 12 systems INCLUDING a W2003 advanced
Server. We have not yet been successful at "cleaning" or repairing any of
them, we have backed up the Profiles, other key data files etc. On
several, the client could not locate the original CD's so we booted with
Bart and ran a Belarc to record the key data, then reformatted and
re-installed ALL and put the Profile back in....that worked and maybe 5
will be done today with 2 techs on it...not good.
Here are some of today's findings and specuations:
1. Registry corruption in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY XXX
We have searched these and found NO corruption at all, not to say its not
there, we have not found it.
2. Registry restores suggested by MWTI...
Escan did create zip files of these for 1 system we have here and when we
Import the HKLMRT.reg, HKLMSY.reg, or HKLMSW.reg they import, but do not
complete both in normal boot and Safe mode.
3. Services not started properly
We manually started every service possible and still no help. We clearly
see many Auto services that are not started that should be and cant get
them going since we cant see properties for their dependencies...
4. Msft Support down to an XP "repair" install
We started this about 2 hours ago on a portable after backing it up. This
is not a "recover" and its stuck with 28 mins to go for the last hour, so
not optimistic on this working.
5. MWTI escan help
The ONLY common thing with ALL systems was Updates set to Auto and Escan
A/V installed and active when the update took place.
6. Last Updates on ALL systems appear to be KB950749 Jet update on
05/14/08 and uninstalling this does not remove it on our system, but MWTI
says this did help another person with same symptoms.
Here are the answers to your questions:
1. @ Bob: Was Escan actively monitoring the systems when SP3 was applied
?
Yes, we assume it was active during the Auto Update process
2. > Were the issues occurring after the application of SP3 or, did the


We believe MWTI was mislead by KB947864, this is showing 04/09/08 long
before the problems. Also, SP3 shows no evidence of being installed at
all on any systems, so we have been "presuming" that it was auto
installed, and that may be true, but we do know
KB950749 WAS installed 05/14/08 and thats when the systems had problems.
And with the W2003 Server now in,
we are thinking it may NOT be SP3 but something else...like 950749 and
Escan ....
3. > Was IE7 installed PRIOR to SP3 being applied ?


We know that IE 7 was installed on these system well ahead of SP3. The
HKLMSY.reg files are specific to each system and I have them from 1 of
the systems, its 14MB unzipped....
Thanks for the help!!!

 

[MowGreen [MVP]]

Bob,

Thanks for following up on the thread. Escan deleted spoolsv and svchost
when KB950479 was installed ? Ouch. Nice AV. <w>
Let's hope this issue is resolved now and that MWT fixes Escan so that
it doesn't delete system files when they're being replaced/updated.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Boba1111]

MowGreen:
Well, we are NOT blaming Escan itself for the deletion of the 2 files. MWTI
has NOT said that Escan is in any way the cause. We have no idea why they get
deleted, but the common thread is this update and Escan. Microworld has been
great in trying to nail down how to fix the systems. We have a couple that
replacing the 2 files did not fix...we had to regen these. --
Bob

Bob,

Thanks for following up on the thread. Escan deleted spoolsv and svchost
when KB950479 was installed ? Ouch. Nice AV. <w>
Let's hope this issue is resolved now and that MWT fixes Escan so that
it doesn't delete system files when they're being replaced/updated.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

MowGreen:
Well, Microworld called today and said check \system32 for missing
spoolsv.exe and svchost.exe and sure enough, these were missing on 1 XP SP2
system and 1 W2003 server.
We copied them from known good systems, rebooted and low and behold,
everything looks like its ok. We saved the server and a COMPLEX XP system
from a dentist with a video capture board running to a special calibrated
camera for LAST, hoping for some resolution, and this seems to be it. MWTI
also said to restore the system registry, but we have not needed that so far
and they said Uninstall KB 950749 and 947864, and we have not done that yet
either.
We are taking these back to the client locations and if they work ok, great,
otherwise we will
pull the KB's.
So, it looks like auto-update of 950749 with Escan running deleted these 2
critical files...
no registry corruption like the Norton issues, but similar symptoms.
Thx for listening!