Automatic Update: Access is Denied

(Windows XP Professional SP3)
Apologize in advance for a long message.

My Automatic Update is not running, even though "Automatic (recommended)"
checkbox is selected in System Properties - Automatic Updates tab.

After opening Services (services.msc), Automatic Updates's Description,
Status and Startup Type columns are empty. "Log On As" value is Local System.

When double clicking or right click -> select Properties on Automatic
Updates in Services, I get this message,
"Unable to open service Automatic Updates for reading on Local Computer.
Error 5: Access is denied."

When I go to Windows Update site and try installing updates manually
(), I
get "Error number: 0x80070005" during installation after download is complete.

This seems to happen after I got some spywares, which I removed through
scouring registries and cleaning offensive DLLs in system32 directory.

According to many articles indicated, this is a permission problems with
potential errors in registry. I tried a number of suggested fixes with no
successful result,

- Verified BITS is running
- Verified I'm in Administrator group
- Added Trace Flag in Windows registry
- Stopped AdAware daemon. Cannot stop Norton however. But I was able to
run Auto Updates before with Norton running
- Run 2 commands as suggested in this article,

a) "sc sdset bits ..." returned SUCCESS
"sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is denied"
- Install and run SubInACL tool to repair file and registry permissions
()
* finish successfully, but same Access error afterwards
- Munually re-install Automatic Update client
()
* Browse C:\windows\ServicePackFiles\i386 where wuapi.dll is located.
Restart the system. Same Access is Denied error
- Any attempt to "net stop/start wuauserv" returns Access is Denied

Random clues:

%windir%\inf\wuau.adm
======================
I notice in this file it uses,
KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
which is a path I don't have under HKLM, does this indicate a problem?

%windir%\setupapi.log
=====================
#-290 Processing REGISTERDLLS section [AU_dlls]. Binary: "%11%\wuaueng.dll",
flags: 0x0001, timeout: 60s.
#E127 Calling "DllRegisterServer" in OLE Control
"C:\WINDOWS\system32\wuaueng.dll" failed. Error 0x80070005: Access is denied.
#E291 Failed to register OLE server "C:\WINDOWS\system32\wuaueng.dll". Error
0x80070005: Access is denied.

%windir%\WindowsUpdate.log
==========================
- I added a Trace flag in registry for WindowsUpdate
(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace, Flags=7,
Level=4). Below is the log it generates during reboot.
------------------ 8< -----------------------
2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error 0x80070005
2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service with
error 0x80070005
2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for
service "wuauserv", permissions = 0x00000004
2009-02-06 11:53:20-0800 4080 248 AU service is not running.
2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,
hr=8024000C
2009-02-06 11:54:03-0800 1104 af8 AU service is not running.
2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed, hr=8024000C
2009-02-06 11:55:30-0800 1544 a24 Service Main starts
2009-02-06 11:55:30-0800 1544 a24 updated service status to 2
2009-02-06 11:55:30-0800 1544 a24 Processing any required registration
2009-02-06 11:55:30-0800 1544 a24 CSusProxyManager successfully initialized.
2009-02-06 11:55:30-0800 1544 a24 CIpAddressMonitor::CreateListenSocket
returning with hr = 0
2009-02-06 11:55:30-0800 1544 a24 Logging events locally at
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log.
2009-02-06 11:55:30-0800 1544 a24 Using event cache directory at
C:\WINDOWS\SoftwareDistribution\EventCache.
2009-02-06 11:55:30-0800 1544 a24 Using BatchFlushAge = 5240.
2009-02-06 11:55:30-0800 1544 a24 Using SamplingValue = 162.
2009-02-06 11:55:30-0800 1544 a24 Write buffer is empty. Not scheduling a
flush.
2009-02-06 11:55:30-0800 1544 a24 Successfully loaded event namespace
dictionary.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 1: Default Event.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 2: Retail Log event.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 3: Debug Log event.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 147: Agent has finished
detecting items.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 148: Error: Agent failed
detecting with reason: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 149: Unable to Connect:
Windows is unable to connect to the automatic updates service and therefore
cannot download and install updates according to the set schedule. Windows
will continue to try to establish a connection.
2009-02-06 11:55:31-0800 1544 a24 Performance warning: CTraceCategory::Trace
had to allocate memory
2009-02-06 11:55:31-0800 1544 a24 Loaded event 150: Update is installed.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 151: Update is installable.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 152: Update is superseded.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 154: Client has an invalid Pid.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 161: Error: Download failed.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 162: Download succeeded.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 163: Download canceled.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 182: Installation Failure:
Windows failed to install the following update with error %1: %2.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 183: Installation Successful:
Windows successfully installed the following update: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 184: Installation successful
and restart required for the following update: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 185: Hide update: user hid
one update.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 186: user cancelled the install
2009-02-06 11:55:31-0800 1544 a24 Loaded event 187: Installation killed:
Installation of the following update is killed by the agent: %2
2009-02-06 11:55:31-0800 1544 a24 Loaded event 188: Installation Ready: The
following updates are downloaded and ready for installation. This computer is
currently scheduled to install these updates on %1 at %2: %3
2009-02-06 11:55:31-0800 1544 a24 Loaded event 189: Installation Ready: The
following updates are downloaded and ready for installation. To install the
updates, an administrator should log on to this computer and Windows will
prompt with further instructions: %1
2009-02-06 11:55:31-0800 1544 a24 Performance warning: CTraceCategory::Trace
had to allocate memory
2009-02-06 11:55:31-0800 1544 a24 Loaded event 190: Installation Successful:
Windows successfully installed the following update: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 191: Installation successful
and restart required for the following update: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 192: Installation killed:
Installation of the following update is killed by the agent: %2
2009-02-06 11:55:31-0800 1544 a24 Loaded event 193: Restart Required: To
complete the installation of the following updates, the computer must be
restarted. Until this computer has been restarted, Windows cannot search for
or download new updates: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 194: Restart Required: To
complete the installation of the following updates, the computer will be
restarted within %1 minutes: %2
2009-02-06 11:55:31-0800 1544 a24 Loaded event 195: Installation Failure:
Windows failed to install the following update with error %1: %2.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 196: Unhide update: user
unhid one update.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 197: Installation Successful:
Windows successfully installed the following update: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 198: Installation Failure:
Windows failed to install the following update with error %1: %2.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 199: Installation successful
and restart required for the following update: %1
2009-02-06 11:55:31-0800 1544 a24 Loaded event 200: Installation killed:
Installation of the following update is killed by the agent: %2
2009-02-06 11:55:31-0800 1544 a24 Loaded event 201: Installation pending.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 221: Uninstallation Failure:
Windows failed to uninstall the following update with error %1: %2.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 222: Uninstallation
Successful: Windows successfully uninstalled the following update: %1.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 223: User cancelled the
uninstall.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 224: Uninstallation
successful and restart required for the following update: %1.
2009-02-06 11:55:31-0800 1544 a24 Loaded event 225: Uninstallation killed:
Uninstallation of the following update is killed by the agent: %2.
2009-02-06 11:55:31-0800 1544 a24 Successfully loaded client event namespace
descriptor.
2009-02-06 11:55:31-0800 1544 a24 Successfully initialized local event
logger. Events will be logged at
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log.
2009-02-06 11:55:31-0800 1544 a24 Successfully initialized NT event logger.
2009-02-06 11:55:31-0800 1544 a24 Batch flush age for server 0 is 120 seconds.
2009-02-06 11:55:31-0800 1544 a24 Write buffer is empty. Not scheduling a
flush.
2009-02-06 11:55:31-0800 1544 a24 Successfully initialized event uploader 0.
2009-02-06 11:55:31-0800 1544 a24 Batch flush age for server 1 is 5240
seconds.
2009-02-06 11:55:31-0800 1544 a24 Write buffer is empty. Not scheduling a
flush.
2009-02-06 11:55:31-0800 1544 a24 Successfully initialized event uploader 1.
2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription
1 with internalrouting 0
2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription
0 with internalrouting 0
2009-02-06 11:55:31-0800 1544 a24 Network interfaces : 1
2009-02-06 11:55:31-0800 1544 a24 Signal subscription event 8
2009-02-06 11:55:31-0800 1544 a24 create subscription event for destination
2 and routing 0
2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription
8 with internalrouting 0
2009-02-06 11:55:31-0800 1544 a24 Network interfaces : 1
2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription
9 with internalrouting 0
2009-02-06 11:55:31-0800 1544 a24 EE Handler QI: ISusExprEvaluate
2009-02-06 11:55:31-0800 1544 a24 CEEMsiHandler::AddRef: refcount is 2
2009-02-06 11:55:31-0800 1544 a24 Initializing BITS callback handler.
2009-02-06 11:55:31-0800 1544 a24 AddRef: ref count -> 1
2009-02-06 11:55:31-0800 1544 a24 DH Listener AddRef: ref count -> 1
2009-02-06 11:55:31-0800 1544 a24 Handler QI: IUnknown
2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::AddRef: refcount is 2
2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::Release: refcount is 1
2009-02-06 11:55:31-0800 1544 a24 Handler QI: ISusUpdateInstallerInfo
2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::AddRef: refcount is 2
2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::Release: refcount is 1
2009-02-06 11:55:31-0800 1544 a24 ref count on CCR after AddRef is 2
2009-02-06 11:55:31-0800 1544 a24 ref count on CCR after Release is 1
2009-02-06 11:55:31-0800 1544 a24 fail to register class object 0x80004015
2009-02-06 11:55:31-0800 1544 a24 Client call recorder fails to init with
error 0x80004015
2009-02-06 11:55:31-0800 1544 a24 WU client with version 5.4.3790.5512
failed to initialize with error 0x80004015 from component agent
2009-02-06 11:55:31-0800 1544 a24 Failed to initialize WU client: 0x80004015
2009-02-06 11:55:31-0800 1544 a24 updated service status to 3
2009-02-06 11:55:32-0800 1544 a24 CEEMsiHandler::Release: refcount is 1
2009-02-06 11:55:32-0800 1544 a24 CEEMsiHandler::Release: refcount is 0
2009-02-06 11:55:32-0800 1544 a24 CUHHandlerBase::Release: refcount is 0
2009-02-06 11:55:32-0800 1544 a24 Submitting work item thread request.
2009-02-06 11:55:32-0800 1544 a24 new event 1 of type 2 added to event system
2009-02-06 11:55:32-0800 1544 a24 Asynchronously flushing
CEventQueue@00608220.
2009-02-06 11:55:32-0800 1544 a24 Asynchronously flushing
CEventQueue@00608220.
2009-02-06 11:55:32-0800 1544 a24 Done with asynchronous flush.
2009-02-06 11:55:32-0800 1544 a24 event 1 of type 2 removed from event system
2009-02-06 11:55:32-0800 1544 a24 DH Listener Release: ref count -> 0
2009-02-06 11:55:32-0800 1544 a24 DH Listener waiting for m_hSafeToDeleteEvent
2009-02-06 11:55:32-0800 1544 a24 Release: ref count -> 0
2009-02-06 11:55:32-0800 1544 a24 Waiting for m_hSafeToDeleteEvent
2009-02-06 11:55:32-0800 1544 a24 WUAUENG ServiceMain exits. Exit code is
0x80004015
------------------ >8 -----------------------

Again I apologize for the long message. But I'm running out of ideas. Any
help would be greatly appreciated!

 

> This seems to happen after I got some spywares, which I removed through<!--coloro:blue--><span style="color:blue <!--/coloro-->
> scouring registries and cleaning offensive DLLs in system32 directory.<!--colorc--><!--/colorc-->

You've got (much) more work to do:

1. See if you can download/run the MSRT manually:


2. Run this online scan (in safe mode w etworking, if need be):


3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum.

Checking for/Help with Hijackware







**Post your logs to
,
,
, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
=====================
Start a free Windows Update support incident request:


Support for Windows Update:


For home users, no-charge support is available by calling 1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated with
security updates.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin
DTS-L


James wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> (Windows XP Professional SP3)
> Apologize in advance for a long message.
>
> My Automatic Update is not running, even though "Automatic (recommended)"
> checkbox is selected in System Properties - Automatic Updates tab.
>
> After opening Services (services.msc), Automatic Updates's Description,
> Status and Startup Type columns are empty. "Log On As" value is Local
> System.
>
> When double clicking or right click -> select Properties on Automatic
> Updates in Services, I get this message,
> "Unable to open service Automatic Updates for reading on Local Computer.
> Error 5: Access is denied."
>
> When I go to Windows Update site and try installing updates manually
> (),
> I
> get "Error number: 0x80070005" during installation after download is
> complete.
>
> This seems to happen after I got some spywares, which I removed through
> scouring registries and cleaning offensive DLLs in system32 directory.
>
> According to many articles indicated, this is a permission problems with
> potential errors in registry. I tried a number of suggested fixes with no
> successful result,
>
> - Verified BITS is running
> - Verified I'm in Administrator group
> - Added Trace Flag in Windows registry
> - Stopped AdAware daemon. Cannot stop Norton however. But I was able to
> run Auto Updates before with Norton running
> - Run 2 commands as suggested in this article,
>
> a) "sc sdset bits ..." returned SUCCESS
> "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is
> denied" - Install and run SubInACL tool to repair file and registry
> permissions
> ()
> * finish successfully, but same Access error afterwards
> - Munually re-install Automatic Update client
> ()
> * Browse C:windowsServicePackFilesi386 where wuapi.dll is located.
> Restart the system. Same Access is Denied error
> - Any attempt to "net stop/start wuauserv" returns Access is Denied
>
> Random clues:
>
> %windir%infwuau.adm
> ======================
> I notice in this file it uses,
> KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"
> which is a path I don't have under HKLM, does this indicate a problem?
>
> %windir%setupapi.log
> =====================
> #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:
> "%11%wuaueng.dll",
> flags: 0x0001, timeout: 60s.
> #E127 Calling "DllRegisterServer" in OLE Control
> "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is
> denied. #E291 Failed to register OLE server
> "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.
>
> %windir%WindowsUpdate.log
> ==========================
> - I added a Trace flag in registry for WindowsUpdate
> (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,
> Flags=7, Level=4). Below is the log it generates during reboot.
> ------------------ 8< -----------------------
> 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error
> 0x80070005
> 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service
> with
> error 0x80070005
> 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for
> service "wuauserv", permissions = 0x00000004
> 2009-02-06 11:53:20-0800 4080 248 AU service is not running.
> 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,
> hr=8024000C
> 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.
> 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,
> hr=8024000C<!--colorc--><!--/colorc-->
<snip>

 

I found a fix!!!

Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security
Check. Fortunately no malicious software was found. I did run multiple
scans with Norton and AdAware in safe mode before and removed suspicious
softwares. However, there are really useful information from the scan output.

Turns out the Security setting of wuauserv was corrupted. Can't remember
how it happened. But it might have something to do some settings during
multiple scans.

Anyway, I was able to fix it by following steps as descripted here:
.

Thanks for the help.

James


"PA Bear [MS MVP]" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro-->
> > This seems to happen after I got some spywares, which I removed through
> > scouring registries and cleaning offensive DLLs in system32 directory.<!--colorc--><!--/colorc-->
>
> You've got (much) more work to do:
>
> 1. See if you can download/run the MSRT manually:
>
>
> 2. Run this online scan (in safe mode w etworking, if need be):
>
>
> 3. Run a /thorough/ check for hijackware, including posting the requested
> logs in an appropriate forum.
>
> Checking for/Help with Hijackware
>
>
>
>
>
>
>
> **Post your logs to
> ,
> ,
> , or another appropriate forum for review
> by an expert in such matters, not here.**
>
> If the procedures look too complex - and there is no shame in admitting this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> =====================
> Start a free Windows Update support incident request:
>
>
> Support for Windows Update:
>
>
> For home users, no-charge support is available by calling 1-866-PCSAFETY in
> the United States and in Canada or by contacting your local Microsoft
> subsidiary. There is no-charge for support calls that are associated with
> security updates.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin
> DTS-L
>
>
> James wrote:<!--coloro:green--><span style="color:green <!--/coloro-->
> > (Windows XP Professional SP3)
> > Apologize in advance for a long message.
> >
> > My Automatic Update is not running, even though "Automatic (recommended)"
> > checkbox is selected in System Properties - Automatic Updates tab.
> >
> > After opening Services (services.msc), Automatic Updates's Description,
> > Status and Startup Type columns are empty. "Log On As" value is Local
> > System.
> >
> > When double clicking or right click -> select Properties on Automatic
> > Updates in Services, I get this message,
> > "Unable to open service Automatic Updates for reading on Local Computer.
> > Error 5: Access is denied."
> >
> > When I go to Windows Update site and try installing updates manually
> > (),
> > I
> > get "Error number: 0x80070005" during installation after download is
> > complete.
> >
> > This seems to happen after I got some spywares, which I removed through
> > scouring registries and cleaning offensive DLLs in system32 directory.
> >
> > According to many articles indicated, this is a permission problems with
> > potential errors in registry. I tried a number of suggested fixes with no
> > successful result,
> >
> > - Verified BITS is running
> > - Verified I'm in Administrator group
> > - Added Trace Flag in Windows registry
> > - Stopped AdAware daemon. Cannot stop Norton however. But I was able to
> > run Auto Updates before with Norton running
> > - Run 2 commands as suggested in this article,
> >
> > a) "sc sdset bits ..." returned SUCCESS
> > "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is
> > denied" - Install and run SubInACL tool to repair file and registry
> > permissions
> > ()
> > * finish successfully, but same Access error afterwards
> > - Munually re-install Automatic Update client
> > ()
> > * Browse C:windowsServicePackFilesi386 where wuapi.dll is located.
> > Restart the system. Same Access is Denied error
> > - Any attempt to "net stop/start wuauserv" returns Access is Denied
> >
> > Random clues:
> >
> > %windir%infwuau.adm
> > ======================
> > I notice in this file it uses,
> > KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"
> > which is a path I don't have under HKLM, does this indicate a problem?
> >
> > %windir%setupapi.log
> > =====================
> > #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:
> > "%11%wuaueng.dll",
> > flags: 0x0001, timeout: 60s.
> > #E127 Calling "DllRegisterServer" in OLE Control
> > "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is
> > denied. #E291 Failed to register OLE server
> > "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.
> >
> > %windir%WindowsUpdate.log
> > ==========================
> > - I added a Trace flag in registry for WindowsUpdate
> > (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,
> > Flags=7, Level=4). Below is the log it generates during reboot.
> > ------------------ 8< -----------------------
> > 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error
> > 0x80070005
> > 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service
> > with
> > error 0x80070005
> > 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for
> > service "wuauserv", permissions = 0x00000004
> > 2009-02-06 11:53:20-0800 4080 248 AU service is not running.
> > 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,
> > hr=8024000C
> > 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.
> > 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,
> > hr=8024000C<!--colorc--><!--/colorc-->
> <snip>
>
> <!--colorc--><!--/colorc-->

 

> Turns out the Security setting of wuauserv was corrupted. Can't remember<!--coloro:blue--><span style="color:blue <!--/coloro-->
> how it happened.<!--colorc--><!--/colorc-->

That was the work of the hijackware infection(s).

James wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I found a fix!!!
>
> Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security
> Check. Fortunately no malicious software was found. I did run multiple
> scans with Norton and AdAware in safe mode before and removed suspicious
> softwares. However, there are really useful information from the scan
> output.
>
> Turns out the Security setting of wuauserv was corrupted. Can't remember
> how it happened. But it might have something to do some settings during
> multiple scans.
>
> Anyway, I was able to fix it by following steps as descripted here:
> .
>
> Thanks for the help.
>
> James
>
>
> "PA Bear [MS MVP]" wrote:
><!--coloro:green--><span style="color:green <!--/coloro--><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> This seems to happen after I got some spywares, which I removed through
>>> scouring registries and cleaning offensive DLLs in system32 directory.<!--colorc--><!--/colorc-->
>>
>> You've got (much) more work to do:
>>
>> 1. See if you can download/run the MSRT manually:
>>
>>
>> 2. Run this online scan (in safe mode w etworking, if need be):
>>
>>
>> 3. Run a /thorough/ check for hijackware, including posting the requested
>> logs in an appropriate forum.
>>
>> Checking for/Help with Hijackware
>>
>>
>>
>>
>>
>>
>>
>> **Post your logs to
>> ,
>> ,
>> , or another appropriate forum for
>> review by an expert in such matters, not here.**
>>
>> If the procedures look too complex - and there is no shame in admitting
>> this isn't your cup of tea - take the machine to a local, reputable and
>> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>> =====================
>> Start a free Windows Update support incident request:
>>
>>
>> Support for Windows Update:
>>
>>
>> For home users, no-charge support is available by calling 1-866-PCSAFETY
>> in
>> the United States and in Canada or by contacting your local Microsoft
>> subsidiary. There is no-charge for support calls that are associated
>> with
>> security updates.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin
>> DTS-L
>>
>>
>> James wrote:<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> (Windows XP Professional SP3)
>>> Apologize in advance for a long message.
>>>
>>> My Automatic Update is not running, even though "Automatic
>>> (recommended)"
>>> checkbox is selected in System Properties - Automatic Updates tab.
>>>
>>> After opening Services (services.msc), Automatic Updates's Description,
>>> Status and Startup Type columns are empty. "Log On As" value is Local
>>> System.
>>>
>>> When double clicking or right click -> select Properties on Automatic
>>> Updates in Services, I get this message,
>>> "Unable to open service Automatic Updates for reading on Local Computer.
>>> Error 5: Access is denied."
>>>
>>> When I go to Windows Update site and try installing updates manually
>>> (),
>>> I
>>> get "Error number: 0x80070005" during installation after download is
>>> complete.
>>>
>>> This seems to happen after I got some spywares, which I removed through
>>> scouring registries and cleaning offensive DLLs in system32 directory.
>>>
>>> According to many articles indicated, this is a permission problems with
>>> potential errors in registry. I tried a number of suggested fixes with
>>> no
>>> successful result,
>>>
>>> - Verified BITS is running
>>> - Verified I'm in Administrator group
>>> - Added Trace Flag in Windows registry
>>> - Stopped AdAware daemon. Cannot stop Norton however. But I was able
>>> to
>>> run Auto Updates before with Norton running
>>> - Run 2 commands as suggested in this article,
>>>
>>> a) "sc sdset bits ..." returned SUCCESS
>>> "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is
>>> denied" - Install and run SubInACL tool to repair file and registry
>>> permissions
>>> ()
>>> * finish successfully, but same Access error afterwards
>>> - Munually re-install Automatic Update client
>>> ()
>>> * Browse C:windowsServicePackFilesi386 where wuapi.dll is located.
>>> Restart the system. Same Access is Denied error
>>> - Any attempt to "net stop/start wuauserv" returns Access is Denied
>>>
>>> Random clues:
>>>
>>> %windir%infwuau.adm
>>> ======================
>>> I notice in this file it uses,
>>> KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"
>>> which is a path I don't have under HKLM, does this indicate a problem?
>>>
>>> %windir%setupapi.log
>>> =====================
>>> #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:
>>> "%11%wuaueng.dll",
>>> flags: 0x0001, timeout: 60s.
>>> #E127 Calling "DllRegisterServer" in OLE Control
>>> "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is
>>> denied. #E291 Failed to register OLE server
>>> "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.
>>>
>>> %windir%WindowsUpdate.log
>>> ==========================
>>> - I added a Trace flag in registry for WindowsUpdate
>>> (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,
>>> Flags=7, Level=4). Below is the log it generates during reboot.
>>> ------------------ 8< -----------------------
>>> 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error
>>> 0x80070005
>>> 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service
>>> with
>>> error 0x80070005
>>> 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005)
>>> for
>>> service "wuauserv", permissions = 0x00000004
>>> 2009-02-06 11:53:20-0800 4080 248 AU service is not running.
>>> 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,
>>> hr=8024000C
>>> 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.
>>> 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,
>>> hr=8024000C<!--colorc--><!--/colorc-->
>> <snip> <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Hello Everyone,

After 3 days of seaching and comparing registries with 3 computers I found
the Fix

Error code 0x80070005 Can not enable Automatic Updates

First Run Malwarbytes and your antivirus program to remove scum viruses.

After Viruses are removed.

Log in to Safe Mode with Administrator Privilages

Click Start >
Run >
Type "regedit" (with out " ")

On the menu bar choose edit > Find > on the text box type "wuauserv" (with
out " "). Remove the check marks named values and Data (only Keys should
remain checked. > click on Find Next

Go through all the keys one at a time and first check its permissions by
right clicking on the key > Permissions > enable FULL CONTROL > CLICK APPLY

NOW ON THE IMAGEPATH CHANGE %fystemroot%\System32\svchost.exe -k netsvcs
to read correctly at "%SystemRoot%\System32\svchost.exe -k netsvcs (only
the S is changed to f). (You do this by right clicking the imagepath on the
right hand side pane and select modify)

HIT the F3 button to Find the next wuauserv key and do the same steps.

check permissions on each key and change if necessary (remember you must be
in SAFE MODE ADMINISTRATOR).

Now do the same steps for the BITS key

Check its permissions and set to Full control if necessary.

Finally, close Registry Editor.

Start > Run > services.msc

find Automatic Udates > Right click > Properties
under START UP TYPE > change to AUTOMATIC

Do the same for Bits if necessary.

And Walla Automatic Updates if back.

 

How have you determined that just running MBAM removed all traces of the
hijackware that infected your computer?

BayAreaDave wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hello Everyone,
>
> After 3 days of seaching and comparing registries with 3 computers I found
> the Fix
>
> Error code 0x80070005 Can not enable Automatic Updates
>
> First Run Malwarbytes and your antivirus program to remove scum viruses.
>
> After Viruses are removed.
>
> Log in to Safe Mode with Administrator Privilages
>
> Click Start >
> Run >
> Type "regedit" (with out " ")
>
> On the menu bar choose edit > Find > on the text box type "wuauserv" (with
> out " "). Remove the check marks named values and Data (only Keys should
> remain checked. > click on Find Next
>
> Go through all the keys one at a time and first check its permissions by
> right clicking on the key > Permissions > enable FULL CONTROL > CLICK
> APPLY
>
> NOW ON THE IMAGEPATH CHANGE %fystemroot%System32svchost.exe -k netsvcs
> to read correctly at "%SystemRoot%System32svchost.exe -k netsvcs (only
> the S is changed to f). (You do this by right clicking the imagepath on
> the
> right hand side pane and select modify)
>
> HIT the F3 button to Find the next wuauserv key and do the same steps.
>
> check permissions on each key and change if necessary (remember you must
> be
> in SAFE MODE ADMINISTRATOR).
>
> Now do the same steps for the BITS key
>
> Check its permissions and set to Full control if necessary.
>
> Finally, close Registry Editor.
>
> Start > Run > services.msc
>
> find Automatic Udates > Right click > Properties
> under START UP TYPE > change to AUTOMATIC
>
> Do the same for Bits if necessary.
>
> And Walla Automatic Updates if back. <!--colorc--><!--/colorc-->

 

After two days and probably 12 hours of working on my final bit of virus
removal for a friend's PC this post helped me take the last few steps to
reenable Windows Update.

Therefore, I'm posting all the major steps I took along with the final
procedure in order to help others out.

This PC had a bad virus situation. It was sending out 50k-60k emails a
day, had software that was disabling security like antivirus programs,
and I couldn't run process explorer or hijackthis on it at first.

Before I got it, the outdated McAffee was run on it and found a bunch
of things. An old version of Spybot was on I had installed. So I
started by getting the latest Spybot S&D which found about 4 malicious
threats. 2 of those came back after cleaning, however.

A web search led me to download Malwarebyte's Anti-malware program,
which was able to remove those 2 viruses and found a few more and
cleaned them. The final problem was that Windows Update was disabled...
thus started a journey of a 1000 steps... or 1000 DOS commands, or
something like that...

So here's the rest of the story on how I got Windows update back up.
It appears to be the same virus others in this thread posted about, but
I had to do a few extra things to get it running, here's the info.

The first part and a few others, are cut and paste from elsewhere with
useful information:

-----------------

Here is perhaps the most definitive (and long-running) conversation
about
that error:

=================
Start a free Windows Update support incident request:


Support for Windows Update:


For home users, no-charge support is available by calling
1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated
with
security updates.

For more information about how to contact your local Microsoft
subsidiary
for security update support issues, visit the International Support
Web
site:

For enterprise customers, support for security updates is available
through
your usual support contacts.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin; DTS-L.netw



---------------

Finding the permissions problem:

Tried to run dos (cmd) and register all the dlls as per a posting. One
failed:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> net stop wuauserv
> net stop bits<!--colorc--><!--/colorc-->

(neither was started)
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> regsvr32 wuaueng.dll<!--colorc--><!--/colorc-->

Message pops up: DllRegistServer in wuaueng.dll failed. Return code
was: 0x80070005

According to many web posts this is a permissions problem.

--------------

Next tried doing a manual reinstall of Windows Update, as follows:

You can install the WindowsUpdageAgent which is available for download
from
and run the following
command;
***********************************************
WindowsUpdateAgent30-x86.exe /wuforce
***********************************************

I just renamed it to WUA30.exe and ran<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro-->
>> WUA30.exe /wuforce<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
to force the install. The install failed with following error number:
0x8024d007

-----------

At some point around here I tried using the SubInACL tool (see
) to reset
the permissions. This failed to change the affected registry keys for
wuausrv (I wasn't aware of the problem with BITS at this point)

Maybe this would have worked if I had run it in safe mode, but I wasn't
aware of the virus changes to the paths at this point either...

----------------------------

Posted fix in safe mode as Administrator by someone else:

Hello Everyone,

After 3 days of seaching and comparing registries with 3 computers I
found
the Fix

Error code 0x80070005 Can not enable Automatic Updates

First Run Malwarbytes and your antivirus program to remove scum
viruses.

After Viruses are removed.

Log in to Safe Mode with Administrator Privilages

Click Start >
Run >
Type "regedit" (with out " ")

On the menu bar choose edit > Find > on the text box type "wuauserv"
(with
out " "). Remove the check marks named values and Data (only Keys
should
remain checked. > click on Find Next

Go through all the keys one at a time and first check its permissions
by
right clicking on the key > Permissions > enable FULL CONTROL > CLICK
APPLY

NOW ON THE IMAGEPATH CHANGE %fystemroot%\System32\svchost.exe -k
netsvcs
to read correctly at "%SystemRoot%\System32\svchost.exe -k netsvcs
(only
the S is changed to f). (You do this by right clicking the imagepath on
the
right hand side pane and select modify)

HIT the F3 button to Find the next wuauserv key and do the same steps.

check permissions on each key and change if necessary (remember you
must be
in SAFE MODE ADMINISTRATOR).

Now do the same steps for the BITS key

Check its permissions and set to Full control if necessary.

Finally, close Registry Editor.

Start > Run > services.msc

find Automatic Udates > Right click > Properties
under START UP TYPE > change to AUTOMATIC

Do the same for Bits if necessary.

And Walla Automatic Updates if back.


----------------

Some notes, clarification and my final process to fix things on my PC:


It does not have to be the official "Administrator" account as long
as the user you log into in safe mode has Administrator access.

When you do 'find' in regedit is when he means to uncheck the 'values'
and 'data' box. I thought he meant during editing after you get to
the
keys... but these should be the keys that need to be changes. There
may
be additional ones so if it doesn't work try a full search and check
the permissions on every key it finds

The appropriate keys on my machine were:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Searching for bits and wuauserv found other entries and keys
that were not affected

In these keys the permissions had been changed to only administrator
with only read permission. To get the full list back I did the
following:

- Right click on wuauserv key, choose permissions
- See only administrators in the list.
- Click "Advanced" at the bottom
- Checkbox "Inherit from parent the permission entries that apply to
child
objects. Include these with entries explicitly defined here"
- Click OK
- Click OK

- In the right pane double-click the "ImagePath" key to edit it
- Change the "%fystemroot%" at the beginning of the path to
"%systemroot%"
(the virus had purposely edited it to be misspelled)
- After doing this on ControlSet001 and COntrolSet004 the changes
already
showed up in CurrentControlSet when I got there

In services.msc,
Automatic Updates was set to Automatic startup type
Background Intelligent Transfer service was set to Manual startup type

No need to change either of those

But boot back into windows normal mode and all the permissions are
changed back and the ImagePath values are corrupted again.

So, I go through the virusscan mode again, this time trying the full-on
normal-mode, turnoff system restore, and then rescan in safe mode
method.

1. TURN OFF SYSTEM RESTORE
2. Full scan with Malware - clean
3. Full scan with spybot - clean

4. Reboot into safe mode on an adminstrator-enabled account

5. normal scan with Malware - clean
6. Full scan with McAfee - subscription ran out about 3/2009, 3 months
ago

- found 2 files, I think from heuristic search, one auto-cleaned, I
quarantined the other

7. Now, go back and redo the permissions and path updates on the 6
registry keys
8. This time, however, I opened a dos prompt in safe mode and ran the
regsvr32 wuaueng.dll
- SUCCESS!!

9. I rebooted into normal mode windows and Windows Update was
running.
10. Checked the bad registry keys and they were all still in the
correct new state

So, I'm not sure if it was the 2 files mcaffee found, disabling the
system restore,
or running the regsvr32 command while still in safe mode, but I'm now
up and running.

Just wanted to share the procedure!


--
LightCC
------------------------------------------------------------------------
LightCC's Profile:
View this thread:

 

> The appropriate keys on my machine were:<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesBITS
> HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswuauserv
> HKEY_LOCAL_MACHINESYSTEMControlSet004ServicesBITS
> HKEY_LOCAL_MACHINESYSTEMControlSet004Serviceswuauserv
> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBITS
> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv<!--colorc--><!--/colorc-->

There should be no ControlSet subkeys numbered higher than 3. The
ControlSet004 was created by the malware.

The *only* subkey that needs editing is CurrentControlSet.

The other subkeys, ControlSet001 -ControlSet003, are pointed to by
CurrentControlSet.
Although the KB below is for Windows NT, the only difference is that
there is no Clone subkey.

What are Control Sets? What is CurrentControlSet?

<!--coloro:blue--><span style="color:blue <!--/coloro-->
> The most valuable and reliable control set is CurrentControlSet. If you need to modify system
> settings in the Registry, CurrentControlSet is the best subkey to choose because you know that it is
> the correct control set. You also know that if your modifications harm your system configuration, you
> will still be able to boot using the last known good control set. <!--colorc--><!--/colorc-->

EX: [HKEY_LOCAL_MACHINE\SYSTEM\Select]
"Current"=dword:00000001
"Default"=dword:00000001
"Failed"=dword:00000000
"LastKnownGood"=dword:00000003

If the system fails to boot, upon the restart the boot menu will appear.
The same boot menu shows up when one presses F8 prior to Windows loading
in order to reach Safe Mode.
Choosing the LastKnownGood configuration on the boot menu will load the
last successfully loaded ControlSet, which in this case is ControlSet003.
<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro-->
>> But boot back into windows normal mode and all the permissions are
>> changed back and the ImagePath values are corrupted again.<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

Cleaning a system *first* will preclude having to reset perms and
imagepath values more than once however, some of the tools needed to
remove most current malwares can be deleterious to the system.
Which is precisely why disabling System Restore should be done as a
*last* step. It will add time to the scans but ... it's best to have a
rat infested [malware] lifeboat rather than none at all.

Emptying all temp and temporary internet files *will* cut down on the
scan times without risking a non-boot situation.

Otherwise ... nice writeups LightCC and BayAreaDave.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============



LightCC wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> After two days and probably 12 hours of working on my final bit of virus
> removal for a friend's PC this post helped me take the last few steps to
> reenable Windows Update.
>
> Therefore, I'm posting all the major steps I took along with the final
> procedure in order to help others out.
>
> This PC had a bad virus situation. It was sending out 50k-60k emails a
> day, had software that was disabling security like antivirus programs,
> and I couldn't run process explorer or hijackthis on it at first.
>
> Before I got it, the outdated McAffee was run on it and found a bunch
> of things. An old version of Spybot was on I had installed. So I
> started by getting the latest Spybot S&D which found about 4 malicious
> threats. 2 of those came back after cleaning, however.
>
> A web search led me to download Malwarebyte's Anti-malware program,
> which was able to remove those 2 viruses and found a few more and
> cleaned them. The final problem was that Windows Update was disabled...
> thus started a journey of a 1000 steps... or 1000 DOS commands, or
> something like that...
>
> So here's the rest of the story on how I got Windows update back up.
> It appears to be the same virus others in this thread posted about, but
> I had to do a few extra things to get it running, here's the info.
>
> The first part and a few others, are cut and paste from elsewhere with
> useful information:
>
> -----------------
>
> Here is perhaps the most definitive (and long-running) conversation
> about
> that error:
>
> =================
> Start a free Windows Update support incident request:
>
>
> Support for Windows Update:
>
>
> For home users, no-charge support is available by calling
> 1-866-PCSAFETY in
> the United States and in Canada or by contacting your local Microsoft
> subsidiary. There is no-charge for support calls that are associated
> with
> security updates.
>
> For more information about how to contact your local Microsoft
> subsidiary
> for security update support issues, visit the International Support
> Web
> site:
>
> For enterprise customers, support for security updates is available
> through
> your usual support contacts.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
> AumHa VSOP & Admin; DTS-L.netw
>
>
>
> ---------------
>
> Finding the permissions problem:
>
> Tried to run dos (cmd) and register all the dlls as per a posting. One
> failed:
>
> <!--coloro:green--><span style="color:green <!--/coloro-->
>>net stop wuauserv
>>net stop bits<!--colorc--><!--/colorc-->
>
>
> (neither was started)
>
> <!--coloro:green--><span style="color:green <!--/coloro-->
>>regsvr32 wuaueng.dll<!--colorc--><!--/colorc-->
>
>
> Message pops up: DllRegistServer in wuaueng.dll failed. Return code
> was: 0x80070005
>
> According to many web posts this is a permissions problem.
>
> --------------
>
> Next tried doing a manual reinstall of Windows Update, as follows:
>
> You can install the WindowsUpdageAgent which is available for download
> from
> and run the following
> command;
> ***********************************************
> WindowsUpdateAgent30-x86.exe /wuforce
> ***********************************************
>
> I just renamed it to WUA30.exe and ran
> <!--coloro:green--><span style="color:green <!--/coloro--><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>>WUA30.exe /wuforce<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
>
> to force the install. The install failed with following error number:
> 0x8024d007
>
> -----------
>
> At some point around here I tried using the SubInACL tool (see
> ) to reset
> the permissions. This failed to change the affected registry keys for
> wuausrv (I wasn't aware of the problem with BITS at this point)
>
> Maybe this would have worked if I had run it in safe mode, but I wasn't
> aware of the virus changes to the paths at this point either...
>
> ----------------------------
>
> Posted fix in safe mode as Administrator by someone else:
>
> Hello Everyone,
>
> After 3 days of seaching and comparing registries with 3 computers I
> found
> the Fix
>
> Error code 0x80070005 Can not enable Automatic Updates
>
> First Run Malwarbytes and your antivirus program to remove scum
> viruses.
>
> After Viruses are removed.
>
> Log in to Safe Mode with Administrator Privilages
>
> Click Start >
> Run >
> Type "regedit" (with out " ")
>
> On the menu bar choose edit > Find > on the text box type "wuauserv"
> (with
> out " "). Remove the check marks named values and Data (only Keys
> should
> remain checked. > click on Find Next
>
> Go through all the keys one at a time and first check its permissions
> by
> right clicking on the key > Permissions > enable FULL CONTROL > CLICK
> APPLY
>
> NOW ON THE IMAGEPATH CHANGE %fystemroot%System32svchost.exe -k
> netsvcs
> to read correctly at "%SystemRoot%System32svchost.exe -k netsvcs
> (only
> the S is changed to f). (You do this by right clicking the imagepath on
> the
> right hand side pane and select modify)
>
> HIT the F3 button to Find the next wuauserv key and do the same steps.
>
> check permissions on each key and change if necessary (remember you
> must be
> in SAFE MODE ADMINISTRATOR).
>
> Now do the same steps for the BITS key
>
> Check its permissions and set to Full control if necessary.
>
> Finally, close Registry Editor.
>
> Start > Run > services.msc
>
> find Automatic Udates > Right click > Properties
> under START UP TYPE > change to AUTOMATIC
>
> Do the same for Bits if necessary.
>
> And Walla Automatic Updates if back.
>
>
> ----------------
>
> Some notes, clarification and my final process to fix things on my PC:
>
>
> It does not have to be the official "Administrator" account as long
> as the user you log into in safe mode has Administrator access.
>
> When you do 'find' in regedit is when he means to uncheck the 'values'
> and 'data' box. I thought he meant during editing after you get to
> the
> keys... but these should be the keys that need to be changes. There
> may
> be additional ones so if it doesn't work try a full search and check
> the permissions on every key it finds
>
> The appropriate keys on my machine were:
>
> HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesBITS
> HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswuauserv
> HKEY_LOCAL_MACHINESYSTEMControlSet004ServicesBITS
> HKEY_LOCAL_MACHINESYSTEMControlSet004Serviceswuauserv
> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBITS
> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv
>
> Searching for bits and wuauserv found other entries and keys
> that were not affected
>
> In these keys the permissions had been changed to only administrator
> with only read permission. To get the full list back I did the
> following:
>
> - Right click on wuauserv key, choose permissions
> - See only administrators in the list.
> - Click "Advanced" at the bottom
> - Checkbox "Inherit from parent the permission entries that apply to
> child
> objects. Include these with entries explicitly defined here"
> - Click OK
> - Click OK
>
> - In the right pane double-click the "ImagePath" key to edit it
> - Change the "%fystemroot%" at the beginning of the path to
> "%systemroot%"
> (the virus had purposely edited it to be misspelled)
> - After doing this on ControlSet001 and COntrolSet004 the changes
> already
> showed up in CurrentControlSet when I got there
>
> In services.msc,
> Automatic Updates was set to Automatic startup type
> Background Intelligent Transfer service was set to Manual startup type
>
> No need to change either of those
>
> But boot back into windows normal mode and all the permissions are
> changed back and the ImagePath values are corrupted again.
>
> So, I go through the virusscan mode again, this time trying the full-on
> normal-mode, turnoff system restore, and then rescan in safe mode
> method.
>
> 1. TURN OFF SYSTEM RESTORE
> 2. Full scan with Malware - clean
> 3. Full scan with spybot - clean
>
> 4. Reboot into safe mode on an adminstrator-enabled account
>
> 5. normal scan with Malware - clean
> 6. Full scan with McAfee - subscription ran out about 3/2009, 3 months
> ago
>
> - found 2 files, I think from heuristic search, one auto-cleaned, I
> quarantined the other
>
> 7. Now, go back and redo the permissions and path updates on the 6
> registry keys
> 8. This time, however, I opened a dos prompt in safe mode and ran the
> regsvr32 wuaueng.dll
> - SUCCESS!!
>
> 9. I rebooted into normal mode windows and Windows Update was
> running.
> 10. Checked the bad registry keys and they were all still in the
> correct new state
>
> So, I'm not sure if it was the 2 files mcaffee found, disabling the
> system restore,
> or running the regsvr32 command while still in safe mode, but I'm now
> up and running.
>
> Just wanted to share the procedure!
>
> <!--colorc--><!--/colorc-->

 

Hi james

would u like tell the method which can fix this update error ?
The link" which u give can not open.
also can mail to simon.meng@the-ascott.com
thanks a lot for ur help



"James" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I found a fix!!!
>
> Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security
> Check. Fortunately no malicious software was found. I did run multiple
> scans with Norton and AdAware in safe mode before and removed suspicious
> softwares. However, there are really useful information from the scan output.
>
> Turns out the Security setting of wuauserv was corrupted. Can't remember
> how it happened. But it might have something to do some settings during
> multiple scans.
>
> Anyway, I was able to fix it by following steps as descripted here:
> .
>
> Thanks for the help.
>
> James
>
>
> "PA Bear [MS MVP]" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro--><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> > > This seems to happen after I got some spywares, which I removed through
> > > scouring registries and cleaning offensive DLLs in system32 directory.<!--colorc--><!--/colorc-->
> >
> > You've got (much) more work to do:
> >
> > 1. See if you can download/run the MSRT manually:
> >
> >
> > 2. Run this online scan (in safe mode w etworking, if need be):
> >
> >
> > 3. Run a /thorough/ check for hijackware, including posting the requested
> > logs in an appropriate forum.
> >
> > Checking for/Help with Hijackware
> >
> >
> >
> >
> >
> >
> >
> > **Post your logs to
> > ,
> > ,
> > , or another appropriate forum for review
> > by an expert in such matters, not here.**
> >
> > If the procedures look too complex - and there is no shame in admitting this
> > isn't your cup of tea - take the machine to a local, reputable and
> > independent (i.e., not BigBoxStoreUSA) computer repair shop.
> > =====================
> > Start a free Windows Update support incident request:
> >
> >
> > Support for Windows Update:
> >
> >
> > For home users, no-charge support is available by calling 1-866-PCSAFETY in
> > the United States and in Canada or by contacting your local Microsoft
> > subsidiary. There is no-charge for support calls that are associated with
> > security updates.
> > --
> > ~Robear Dyer (PA Bear)
> > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> > AumHa VSOP & Admin
> > DTS-L
> >
> >
> > James wrote:<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> > > (Windows XP Professional SP3)
> > > Apologize in advance for a long message.
> > >
> > > My Automatic Update is not running, even though "Automatic (recommended)"
> > > checkbox is selected in System Properties - Automatic Updates tab.
> > >
> > > After opening Services (services.msc), Automatic Updates's Description,
> > > Status and Startup Type columns are empty. "Log On As" value is Local
> > > System.
> > >
> > > When double clicking or right click -> select Properties on Automatic
> > > Updates in Services, I get this message,
> > > "Unable to open service Automatic Updates for reading on Local Computer.
> > > Error 5: Access is denied."
> > >
> > > When I go to Windows Update site and try installing updates manually
> > > (),
> > > I
> > > get "Error number: 0x80070005" during installation after download is
> > > complete.
> > >
> > > This seems to happen after I got some spywares, which I removed through
> > > scouring registries and cleaning offensive DLLs in system32 directory.
> > >
> > > According to many articles indicated, this is a permission problems with
> > > potential errors in registry. I tried a number of suggested fixes with no
> > > successful result,
> > >
> > > - Verified BITS is running
> > > - Verified I'm in Administrator group
> > > - Added Trace Flag in Windows registry
> > > - Stopped AdAware daemon. Cannot stop Norton however. But I was able to
> > > run Auto Updates before with Norton running
> > > - Run 2 commands as suggested in this article,
> > >
> > > a) "sc sdset bits ..." returned SUCCESS
> > > "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is
> > > denied" - Install and run SubInACL tool to repair file and registry
> > > permissions
> > > ()
> > > * finish successfully, but same Access error afterwards
> > > - Munually re-install Automatic Update client
> > > ([url=http://msmvps.com/blogs/athif/pages/49608.aspx" target="_blank http://msmvps.com/blogs/athif/pages/49608.aspx[url])
> > > * Browse C:windowsServicePackFilesi386 where wuapi.dll is located.
> > > Restart the system. Same Access is Denied error
> > > - Any attempt to "net stop/start wuauserv" returns Access is Denied
> > >
> > > Random clues:
> > >
> > > %windir%infwuau.adm
> > > ======================
> > > I notice in this file it uses,
> > > KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"
> > > which is a path I don't have under HKLM, does this indicate a problem?
> > >
> > > %windir%setupapi.log
> > > =====================
> > > #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:
> > > "%11%wuaueng.dll",
> > > flags: 0x0001, timeout: 60s.
> > > #E127 Calling "DllRegisterServer" in OLE Control
> > > "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is
> > > denied. #E291 Failed to register OLE server
> > > "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.
> > >
> > > %windir%WindowsUpdate.log
> > > ==========================
> > > - I added a Trace flag in registry for WindowsUpdate
> > > (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,
> > > Flags=7, Level=4). Below is the log it generates during reboot.
> > > ------------------ 8< -----------------------
> > > 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error
> > > 0x80070005
> > > 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service
> > > with
> > > error 0x80070005
> > > 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for
> > > service "wuauserv", permissions = 0x00000004
> > > 2009-02-06 11:53:20-0800 4080 248 AU service is not running.
> > > 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,
> > > hr=8024000C
> > > 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.
> > > 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,
> > > hr=8024000C<!--colorc--><!--/colorc-->
> > <snip>
> >
> > <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->[/url]

 

Try that link, simon.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *not* have *non-security content* prechecked"



simon wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi james
>
> would u like tell the method which can fix this update error ?
> The link" which u give can not open.
> also can mail to simon.meng@the-ascott.com
> thanks a lot for ur help
>
>
>
> "James" wrote:
>
> <!--coloro:green--><span style="color:green <!--/coloro-->
>>I found a fix!!!
>>
>>Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security
>>Check. Fortunately no malicious software was found. I did run multiple
>>scans with Norton and AdAware in safe mode before and removed suspicious
>>softwares. However, there are really useful information from the scan output.
>>
>>Turns out the Security setting of wuauserv was corrupted. Can't remember
>>how it happened. But it might have something to do some settings during
>>multiple scans.
>>
>>Anyway, I was able to fix it by following steps as descripted here:
>>.
>>
>>Thanks for the help.
>>
>>James
>>
>><!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

THANK YOU THANK YOU THANK YOU!

Specifically BayAreaDave and LightCC...

I must have spent about 8 hours total researching and trying different
things for this fix and the information on here fixed the problem for
me. I created this account just to thank you guys. Automatic Updates
is running fine now.


--
chrishongrocks
------------------------------------------------------------------------
chrishongrocks's Profile:
View this thread: