Similar situation on Windows 7 Starter. Looking into the WindowsUpdate.log I can see
4fc Setup Determining whether a new setup handler needs to be downloaded
2012-06-18 20:10:43:006 960 4fc Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe:
2012-06-18 20:10:43:037 960 4fc Misc Microsoft signed: Yes
2012-06-18 20:10:43:037 960 4fc Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe are not trusted: Error 0x800b0001
2012-06-18 20:10:43:037 960 4fc Setup WARNING: Trust verification failed for WuSetupV.exe. It will be deleted and downloaded, error = 0x800B0001
2012-06-18 20:10:43:037 960 4fc Setup SelfUpdate handler update required: Current version: 7.6.7600.256, required version: 7.6.7600.256
2012-06-18 20:10:43:037 960 4fc Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.256"
2012-06-18 20:10:43:068 960 4fc Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.256" is already installed.
2012-06-18 20:10:43:068 960 4fc Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256"
2012-06-18 20:10:43:240 960 4fc Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256" is applicable but is already staged; it will not be downloaded.
2012-06-18 20:10:43:240 960 4fc Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256"
2012-06-18 20:10:43:723 960 4fc Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256" is already installed.
2012-06-18 20:10:43:723 960 4fc Setup SelfUpdate check completed. SelfUpdate is NOT required.
2012-06-18 20:10:45:861 960 4fc Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-06-18 20:10:45:907 960 4fc Misc Microsoft signed: Yes
2012-06-18 20:10:45:907 960 4fc Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab are not trusted: Error 0x800b0001
2012-06-18 20:10:46:048 960 4fc Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-06-18 20:10:46:079 960 4fc Misc Microsoft signed: Yes
2012-06-18 20:10:46:079 960 4fc PT +++++++++++ PT: Synchronizing server updates +++++++++++
2012-06-18 20:10:46:079 960 4fc PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL =https://www.update.microsoft.com/v6/ClientWebService/client.asmx
2012-06-18 20:13:07:433 960 4fc Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-06-18 20:13:07:479 960 4fc Misc Microsoft signed: Yes
2012-06-18 20:13:07:589 960 4fc Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
2012-06-18 20:13:07:620 960 4fc Misc Microsoft signed: Yes
2012-06-18 20:13:07:635 960 4fc PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2012-06-18 20:13:07:635 960 4fc PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL =https://www.update.microsoft.com/v6/ClientWebService/client.asmx
2012-06-18 20:14:07:071 960 4fc Misc WARNING: Send failed with hr = 80072ee2.
2012-06-18 20:14:07:071 960 4fc Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2012-06-18 20:14:07:071 960 4fc PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2012-06-18 20:14:07:071 960 4fc PT + Caller provided credentials = No
2012-06-18 20:14:07:071 960 4fc PT + Impersonate flags = 0
2012-06-18 20:14:07:071 960 4fc PT + Possible authorization schemes used =
2012-06-18 20:14:07:071 960 4fc PT WARNING: GetExtendedUpdateInfo failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2012-06-18 20:14:07:071 960 4fc PT WARNING: PTError: 0x80072ee2
2012-06-18 20:14:07:071 960 4fc PT WARNING: GetExtendedUpdateInfo_WithRecovery: 0x80072ee2
2012-06-18 20:14:08:148 960 4fc PT WARNING: Sync of Extended Info: 0x80072ee2
2012-06-18 20:14:08:148 960 4fc PT WARNING: SyncServerUpdatesInternal failed : 0x80072ee2
2012-06-18 20:14:08:195 960 4fc Agent * WARNING: Exit code = 0x80072EE2
2012-06-18 20:14:08:195 960 4fc Agent *********
2012-06-18 20:14:08:195 960 4fc Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2012-06-18 20:14:08:195 960 4fc Agent *************
2012-06-18 20:14:08:195 960 4fc Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2012-06-18 20:14:08:319 960 e00 AU >>## RESUMED ## AU: Search for updates [CallId = {8A83B3B5-055F-497E-B452-92F64D934BC9}]
2012-06-18 20:14:08:319 960 e00 AU # WARNING: Search callback failed, result = 0x80072EE2
2012-06-18 20:14:08:319 960 e00 AU # WARNING: Failed to find updates with error code 80072EE2
2012-06-18 20:14:08:319 960 e00 AU #########
2012-06-18 20:14:08:319 960 e00 AU ## END ## AU: Search for updates [CallId = {8A83B3B5-055F-497E-B452-92F64D934BC9}]Maybe this problem is a result of the exploit described at
http://www.f-secure.com/weblog/archives/00002383.html
which, in part, states that
Flame creates a local proxy which it uses to intercept traffic to Microsoft Update. This is used to spread Flame to other machines in a local area network.
The fake update was signed with a certificate linking up to Microsoft root, as the attackers found a way to repurpose Microsoft Terminal Server license certificates. Even this wasn't enough to spoof newer Windows versions, so they did some cutting-edge cryptographic research and came up with a completely new way to create hash collisions, enabling them to spoof the certificate. They still needed a supercomputer though. And they've been doing this silently since 2010.
I believe that I may have been a political target of the Flame virus. I realize that Flame is a weapon of war designed by Western and Israeli intelligence to be used against the Islamic Republic of Iran and other enemies of the Rothschild banking empire.
Yesterday morning I rebooted my Windows 7 PC to find a suspicious windows update being installed during the boot sequence despite the fact I disabled automatic updates. I immediately checked the WindowsUpdate.log to see what was installed, and I came across
several suspicious warnings and errors that suggest I may have been infected by a variant of Flame or similar malware that spoofs the windows update feature. Others have been reporting similar problems in the last 2-3 weeks. This was found in my WindowsUpdate.log:
2012-06-25 21:04:29:829 812 510 Setup Determining whether a new setup handler needs to be downloaded
2012-06-25 21:04:29:836 812 510 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe:
2012-06-25 21:04:29:842 812 510 Misc Microsoft signed: Yes
2012-06-25 21:04:29:842 812 510 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe are not trusted: Error 0x800b0001
2012-06-25 21:04:29:842 812 510 Setup WARNING: Trust verification failed for WuSetupV.exe. It will be deleted and downloaded, error = 0x800B0001
2012-06-25 21:04:29:842 812 510 Setup SelfUpdate handler update required: Current version: 7.6.7600.256, required version: 7.6.7600.256
2012-06-25 21:04:30:741 812 510 Setup SelfUpdate check completed. SelfUpdate is required.
2012-06-25 21:04:30:741 812 510 Setup Downloading binaries required for SelfUpdate
2012-06-25 21:04:30:741 812 510 Setup Downloading SelfUpdate handler WuSetupHandler.cab from http://download.windowsupdate.com/v9/1/windowsupdate/b/selfupdate/WSUS3/x64/Vista
2012-06-25 21:04:30:752 812 510 Misc Validating signature for :\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupHandler.cab:
2012-06-25 21:04:30:765 812 510 Misc Microsoft signed: Yes
2012-06-25 21:04:31:084 812 510 Setup Successfully downloaded SelfUpdate handler
2012-06-25 21:04:31:084 812 510 Setup Download of SelfUpdate binaries succeeded
2012-06-25 21:04:31:084 812 510 Setup Starting agent SelfUpdate
2012-06-25 21:04:31:084 812 510 Setup Skipping installation because no critical packages are ready to install.
On reboot Windows 7 installed the so called 'update.'
Here is my entire WindowsUpdate.log http://www.filedropper.com/windowsupdatelogtar
"The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to
the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root.
Except it isn't signed really by Microsoft."
Source: http://www.f-secure.com/weblog/archives/00002377.html
"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. "The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications."
Source: http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
"New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days."
Source: http://phk.freebsd.dk/sagas/md5crypt_eol.html
While my computer was exhibiting symptoms of the Flame variant, my Gigabyte GV-R485-512H-B, ATI 4850 video card P/N: 113-B5012-105 (Bios Revision 011.004.000.000.029193) was overheating (flaming hot if you prefer) and the fan was out of control, speeding up and down... my computer crashed half a dozen times. I had to flash the bios to fix the problem. Can variants of Flame use the GPU of infected machines to crack encryption?