Solved

Automatic Updates gets "marked for deletion"

Posted on 2004-10-13
8
2,219 Views
Last Modified: 2008-01-09
I'm fixing a Dell GX260 with XP Pro and SP2, although this problem started before either Service Pack was installed. Something is deleting the Automatic Updates service and I can't figure out what it is. Here's the sequence:
1) I reinstall the service using a batch file I found on a newsgroup. Then I can get Windows Updates, if there are any.
2) Upon reboot, the SP2 bubble comes up at the system tray saying that Automatic Updates is disabled. Clicking the bubble to enable it fails. When I go to the Services screen to enable it, it says it's started but disabled under startup type. Trying to change this to Automatic or Manual results in the message that this service is marked for deletion.
3) Another reboot and the Automatic Updates service is gone. Then I can reinstall with the batch file and start the whole thing over.

When failing, Windows Update fails with various errors, most frequently [Error number: 0x80070424].

I've turned off numerous items with msconfig, the run areas in the registry and with HijackThis to no avail. I can't figure out what's uninstalling it nor how to unmark a service for deletion. I've tried removing it myself using both the SC command and a services manager from LitePC to see if that clears the error before reinstalling, also to no avail. Any ideas?

Here's the current HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 5:01:21 AM, on 10/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\netclnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Downloads\From CWS Removal\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Goldrush World Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097577412328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Here's the batch file I found to reinstall the Automatic Updates service:


cd /d %SystemRoot%\system32
regsvr32 comcat.dll /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
regsvr32 urlmon.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
regsvr32 inetcomm.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
regsvr32 WUAPI.DLL /s
regsvr32 WUAUENG.DLL /s
regsvr32 ATL.DLL /s
regsvr32 WUCLTUI.DLL /s
regsvr32 WUPS.DLL /s
regsvr32 WUWEB.DLL /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
exit

Thanks for your help.
0
Comment
Question by:FixIsIn
  • 5
  • 3
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12297078
Hello FixIsIn =)

>> C:\WINDOWS\system32\netclnt.exe
Read here abt this process >> http://www.pestpatrol.com/PestInfo/n/net_raider.asp

So Run an Online Virus Scan >> http://housecall.trendmicro.com/
And Stinger in Safemode ==> http://vil.nai.com/vil/stinger
to make sure that the system is clean enough now !!

Dont forget to run Disk Cleanup to delete all temp files from ur system and SFC scan to make sure all system files are OK :)
Goto START>RUN and type, cmd  (hit enter)
now type, sfc /scannow  (hit enter)
SFC scan will start scanning ur system
u will need ur WinXP CD in order to fix the corrupted windows system files, if found by scan.

Post Back & Good Luck :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12297113
and this time its ok, but from next time Dont post hijackthis logs unless u are requested by an Expert trying to help u :)
if its necessary to use log, then first analyse it at this site >> http://www.hijackthis.de/index.php?langselect=english

it can automatically analyse it for u and can tell that what are Nasty and Safe entries.... and if still u feel the need of an opinion, then u can see the Save Analyse button at the end of the analysed log page, hit it and it can save ur analysed log in a new page, copy the address of that page and paste here so that experts can look at it from there !! Thanx :)
0
 

Author Comment

by:FixIsIn
ID: 12297140
Thanks for your quick response. I was just about to update with the cleaning I have done, but you beat me to the punch.

I've deleted all temp and temporary internet files by placing the drive in an external drive housing on another computer, run NortonAV 2005, Ad-aware and Spysweeper from that PC as well, then replacing the drive in its own system and running Housecall, Symantec On Line, Stinger, Ad-Aware SE 1.05, SpySweeper and Spybot S&D in it's own system. These are now coming back clean. I've also run SFC. The only thing from your list I haven't run it Pest Patrol. I'll check it out after sending this.

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12297180
that's impressive !! :)
I cud only see that one facked process.... so i thought why its here.... shud be kicked out, right :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:FixIsIn
ID: 12297338
I think you nailed it! That's the first time I've seen such a trojan stay hidden from my tool set, although it's not unhead of to do a manual mop up in the system area and I hadn't tried that yet. By manual mop up I mean to disable exe or dll files that are suspect by renaming the suffix, especially if they don't have a Version tab under properties or a proper company name. I need to reboot and test this, but I'm thinking I'll probably be right back to say you da man.

And sorry about the premature hijackulation. This was my first post here and I was over excited. :)

When I'm searching for solutions and Google comes up with an Experts-Exchange post, these usually end up being the best answers. Thanks for the link to the hijackthis analysis. BRB with test results.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12297387
hmmmm not to worry abt log, just be carefull from next time and that is enough :)
i have to go out for abt hal an hour, will be back to listen the results from you, good luck =)
0
 

Author Comment

by:FixIsIn
ID: 12297493
I'm back, and You Da Man! Netclnt.exe was the problem and deleting it fixed it. That must have been left over from (I think) the Netsky virus they had earlier and I remove. Looks like I didn't get all of it. 500 points to you! And thanks again.

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12297700
great... & Cheers ^_^
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now