asked on

Automatic Updates gets "marked for deletion"

I'm fixing a Dell GX260 with XP Pro and SP2, although this problem started before either Service Pack was installed. Something is deleting the Automatic Updates service and I can't figure out what it is. Here's the sequence:
1) I reinstall the service using a batch file I found on a newsgroup. Then I can get Windows Updates, if there are any.
2) Upon reboot, the SP2 bubble comes up at the system tray saying that Automatic Updates is disabled. Clicking the bubble to enable it fails. When I go to the Services screen to enable it, it says it's started but disabled under startup type. Trying to change this to Automatic or Manual results in the message that this service is marked for deletion.
3) Another reboot and the Automatic Updates service is gone. Then I can reinstall with the batch file and start the whole thing over.

When failing, Windows Update fails with various errors, most frequently [Error number: 0x80070424].

I've turned off numerous items with msconfig, the run areas in the registry and with HijackThis to no avail. I can't figure out what's uninstalling it nor how to unmark a service for deletion. I've tried removing it myself using both the SC command and a services manager from LitePC to see if that clears the error before reinstalling, also to no avail. Any ideas?

Here's the current HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 5:01:21 AM, on 10/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\netclnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Downloads\From CWS Removal\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Goldrush World Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097577412328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Here's the batch file I found to reinstall the Automatic Updates service:

cd /d %SystemRoot%\system32
regsvr32 comcat.dll /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
regsvr32 urlmon.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
regsvr32 inetcomm.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
regsvr32 WUAPI.DLL /s
regsvr32 WUAUENG.DLL /s
regsvr32 ATL.DLL /s
regsvr32 WUCLTUI.DLL /s
regsvr32 WUPS.DLL /s
regsvr32 WUWEB.DLL /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
exit

Thanks for your help.

ASKER CERTIFIED SOLUTION

SheharyaarSaahil

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SheharyaarSaahil

and this time its ok, but from next time Dont post hijackthis logs unless u are requested by an Expert trying to help u :)
if its necessary to use log, then first analyse it at this site >> http://www.hijackthis.de/index.php?langselect=english

it can automatically analyse it for u and can tell that what are Nasty and Safe entries.... and if still u feel the need of an opinion, then u can see the Save Analyse button at the end of the analysed log page, hit it and it can save ur analysed log in a new page, copy the address of that page and paste here so that experts can look at it from there !! Thanx :)

FixIsIn

ASKER

Thanks for your quick response. I was just about to update with the cleaning I have done, but you beat me to the punch.

I've deleted all temp and temporary internet files by placing the drive in an external drive housing on another computer, run NortonAV 2005, Ad-aware and Spysweeper from that PC as well, then replacing the drive in its own system and running Housecall, Symantec On Line, Stinger, Ad-Aware SE 1.05, SpySweeper and Spybot S&D in it's own system. These are now coming back clean. I've also run SFC. The only thing from your list I haven't run it Pest Patrol. I'll check it out after sending this.

Thanks.

SheharyaarSaahil

that's impressive !! :)
I cud only see that one facked process.... so i thought why its here.... shud be kicked out, right :)

FixIsIn

ASKER

I think you nailed it! That's the first time I've seen such a trojan stay hidden from my tool set, although it's not unhead of to do a manual mop up in the system area and I hadn't tried that yet. By manual mop up I mean to disable exe or dll files that are suspect by renaming the suffix, especially if they don't have a Version tab under properties or a proper company name. I need to reboot and test this, but I'm thinking I'll probably be right back to say you da man.

And sorry about the premature hijackulation. This was my first post here and I was over excited. :)

When I'm searching for solutions and Google comes up with an Experts-Exchange post, these usually end up being the best answers. Thanks for the link to the hijackthis analysis. BRB with test results.

SheharyaarSaahil

hmmmm not to worry abt log, just be carefull from next time and that is enough :)
i have to go out for abt hal an hour, will be back to listen the results from you, good luck =)

FixIsIn

ASKER

I'm back, and You Da Man! Netclnt.exe was the problem and deleting it fixed it. That must have been left over from (I think) the Netsky virus they had earlier and I remove. Looks like I didn't get all of it. 500 points to you! And thanks again.

SheharyaarSaahil

great... & Cheers ^_^

Automatic Updates gets &quot;marked for deletion&quot;

Automatic Updates gets "marked for deletion"