Solved

Can't Start BIT and Automatic Updates Service

Posted on 2009-04-05
42
2,237 Views
Last Modified: 2012-05-06
Windows XP SP3 - I discovered when I tried to go to the Microsoft update site that my Background Intelligent Transfer and Automatic Updates services are not started. The BIT is set to be Automatic and the AU is set to Disabled. When I try to set AU to automatic I get an Access Denied message and when I try to start BIT I get an error that says"Could not start Background Intelligent Transfer service on local computer. Error 2: The system cannot find the file specified."

Also, I don't know if this is part of it or not but if I open an Internet page the images do not show up. Please advise.

Thank you!!

Robert
0
Comment
Question by:RobertEhinger
  • 10
  • 9
  • 8
  • +6
42 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 24073385
Go to the registry, and export the following values and paste them here please....

HKEY_LOCAL_MACHINE\XP-System\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\XP-System\CurrentControlSet\Services\wuauserv

Have you tried another Administrative user to enable these?

And check toi make sure that c:\windows\system32\svchost.exe is present, and please check it is signed by MS, and please check the modified date......
0
 
LVL 9

Expert Comment

by:samiam41
ID: 24073386
Have you ran anykind of av/spyware scans?  Run this:

Malware Bytes -> http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html



0
 
LVL 9

Expert Comment

by:samiam41
ID: 24073388
CRAP!  Almost had first crack.  1 post!
0
 
LVL 9

Expert Comment

by:samiam41
ID: 24073395
MS Tool for fixing BITS service.

http://support.microsoft.com/kb/940520
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24073478
Also check;
In the Services, when you doubleclick on the Background Intelligent Transfer Service(BITS) does it have the right "path to executable"?
C:\WINDOWS\system32\svchost.exe -k netsvcs
It's possible that malware is at work there and changed the path.
A Hijaackthis log won't hurt, it shows there the services too.
Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Open Hijackthis, click "Do a system scan and save a logfile"
Paste the log in the "Code Snippet" or "Attach File" window.
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 24073762
Download and install Dial A Fix and Malwarebytes Anti-Malware.

Dial A Fix has a utility that will check for hidden policies and reinstall BITS and Update services without you having to do all that other stuff.

Run Malware to remove anything else.
0
 

Author Comment

by:RobertEhinger
ID: 24073871
http://support.microsoft.com/kb/940520 is for Windows Vista not XP

Have already run Malwarebytes Anti-Malware.

Ran Dial a fix and got this message- "Error 2147024891 was endountered while trying to unregister C:\WINDOWS\system32\wuaueng.dll. The error text is Access is denied."

Tried to reinstall BITS and the installation failed.

Here are screen shots of the Registry keys Johnb6767 asked for and the hijackthis log file.
bits.bmp
bits2.bmp
hijackthis1
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 24073877
What type of PC is this?
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 24073882
Sorry on the SVCHost one - have the patch on my flash drive...

KB893803
0
 

Author Comment

by:RobertEhinger
ID: 24073912
HP Pavilion a131 10n
0
 

Author Comment

by:RobertEhinger
ID: 24073913
Also, if I try to open Mozilla Firefox it doesn't open but if I open task mgr it shows firefox.exe hogging almost all of my system resources.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24073945
I can only view the bits2.bmp.

Looking at the jpeg, the image path of the BITS is wrong -->%fystemroot%\system32\svchost.exe -k netsvcs

the right path to executable should be --> %Systemroot%\system32\svchost.exe -k netsvcs
So you need to change that either via the Services window or via the registry.



Have you also tried MBAM yet? or run Combofix too.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24074014
Start > Run > type in
services.msc

And doubleclick the "Background Intelligent Transfer Service" and change the 'path to executable'.
 
OR: If you want to edit the registry to fix the path there.
Start > Run > type in

regedit

Enter and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
in the right Window pane look for" Imagepath"
Then in the data column it should have the %fystemRoot%\system32\svchost.exe -k netsvcs

doubleclick on Imagepath and change it to %SystemRoot%\system32\svchost.exe -k netsvcs
Just change the F to an S (the only difference there is the F)
and OK.

If regedit won't let you edit the registry, download this regtools.vbs first.
http://www.dougknox.com/security/scripts_desc/regtools.htm

0
 
LVL 2

Accepted Solution

by:
2629326 earned 500 total points
ID: 24074175
Dude... backup and do a fresh install. Save yourself the time and agony. Take advantage of the opportunity, they only come every so often.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24074204
"Dude... backup and do a fresh install. Save yourself the time and agony. Take advantage of the opportunity, they only come every so often."

If I told everyone to do this for every minor error they were having, I wouldn't have my job very long.
0
 
LVL 2

Expert Comment

by:2629326
ID: 24074264
Hey, buddy....
1. Those are Conficker symptoms.
2. The downtime that those "minor errors" would cause = ..."wouldn't have my job very long"
3. If backups were being done regularly; wouldn't be posting, would just restore configurations
4. Backups- now's a good time to get started
5. Let me know how much time/money gets invested in resolving the minor error.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 24074364
Yeah, it's probably a virus. I do wonder if it's Conficker.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24074469
Virus alert about the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007

Here is a simple method to see if you have this malware on your machine...... Talks about a randomly named file in c:\windows\system32\drivers, and how to find it's registry key.....

http://www.malwarebytes.org/forums/index.php?showtopic=11558



0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24074486
Oh, and btw.....

"Those are Conficker symptoms."
 Those are symptoms of a lot of viruses, not just conficker......

""Dude... backup and do a fresh install. Save yourself the time and agony. Take advantage of the opportunity, they only come every so often.""
A shotgun approach for what can possibly be cleaned, and remedied very simply.

"If backups were being done regularly; wouldn't be posting, would just restore configurations"
?? Backups can back up viruses too...... Need to get to the root cause.....

"Backups- now's a good time to get started"
Cant argue there...  :)

"Let me know how much time/money gets invested in resolving the minor error. "
What we dont know yet from the asker, is that maybe this machine has tons of apps, and the time it would take to rebuild might be double, if not triple what it *might* take to fix this. Until we know this, it is kinda hard to just say reimage......

I have NEVER lost a system from a rootkit/virus/malware infection, and even though it might take some time to remove them, in about 95% of the cdases it was worth it to remove it, instead of imaging the pc. The customer's appreciate not having to re customize EVERY ONE of thier apps.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24074528
LMAO......johnb6767 I unequivocally agree!!!!

just wiping a system is the lazymans approach to troubleshooting issues.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24074539
yea, and nowhere near as fun......
:^)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Expert Comment

by:dstewartjr
ID: 24074554
Might actually learn something along the way too....

:-)
0
 
LVL 22

Expert Comment

by:orangutang
ID: 24074602
I agree...
:v)
0
 

Author Comment

by:RobertEhinger
ID: 24083154
OK, after all of that here is where we stand -

>the right path to executable should be --> %Systemroot%\system32\svchost.exe -k netsvcs
>So you need to change that either via the Services window or via the registry.

I tried this and the download mentioned in another spot but with no success. I am attaching a screen shot.

>Have you also tried MBAM yet? or run Combofix too.

Several times. In fact,MBAM is running again as we speak.

>Please download ComboFix by sUBs:

Have run this too but will again


imagepath.bmp
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24083916
That imagepath that you're trying to edit already has the correct path.
Did you run combofix as well? if so, show us the log.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24083929
Thats probably the entry on screen which he is trying to set it to, but switches back to %fystemroot% after acknowledging that error.....

Im starting to think Rootkitt...... Try the following in Regular Mode, not Safe Mode....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....
0
 

Author Comment

by:RobertEhinger
ID: 24086644
The image path does revert back to the incorrect path after I close the screen. I ran Combo fix again and am attaching the log file.
ComboFixLog.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24096966
What the system has is a file infector..either Virut, Sality or both.
These files below are infected and combofix didn't seem to find a replacement for them... there are already some system files that failed the sigcheck.... there would be more infected system files that aren't showing in the CF log.

With virut, my suggestion is to reformat.... as in most cases it's a waste of your time trying to clean it up.
But if you don't want to reformat then you need to replace these files below for a start:

c:\windows\system32\userinit.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\windows\explorer.exe


You can also try these scanners:
Virut:
http://www.freedrweb.com/
Sality:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


I'll post a script for combofix to run also if you decide to try and clean it up.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24097440
If you decide to try and clean it up...in addition to the above scanners for virut and sality.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\undname.exe
c:\windows\system32\5.tmp
c:\windows\system32\3.tmp
c:\windows\DUMP7203.tmp
C:\22.tmp
C:\21.tmp
C:\20.tmp
C:\1F.tmp
C:\1E.tmp
C:\1D.tmp
C:\1C.tmp
C:\1B.tmp
C:\1A.tmp
C:\19.tmp
C:\17.tmp
C:\18.tmp
C:\16.tmp
C:\14.tmp
C:\13.tmp
C:\C.tmp
C:\B.tmp
C:\A.tmp
C:\9.tmp
C:\7.tmp
C:\15.tmp
C:\12.tmp
C:\11.tmp
C:\10.tmp
C:\F.tmp
C:\E.tmp
C:\D.tmp
C:\333.tmp
c:\windows\adobe.bat
c:\windows\_id.dat
C:\332.tmp
C:\dmsiacq.exe
c:\windows\system32\328.tmp
c:\windows\DUMP5e9a.tmp
c:\windows\DUMP64b5.tmp
c:\windows\DUMP6aef.tmp
c:\windows\DUMP6f44.tmp
c:\windows\DUMP62b1.tmp
c:\documents and settings\HP_Administrator\reader_s.exe

Rootkit::
c:\windows\system32\drivers\restore.sys
c:\windows\system32\drivers\29c1c5b9.sys
c:\windows\system32\drivers\ethmfgtu.sys
c:\windows\system32\drivers\ethynyvs.sys

Folder::
C:\-935343241
c:\windows\qfkk
c:\program files\Common Files\qfkk
c:\temp\atmp8
C:\Temp

FileLook::
c:\program files\instmsiw.exe
c:\program files\instmsia.exe

DirLook::
c:\windows\system32\kt
c:\windows\system32\am5

Driver::
29c1c5b9
ethmfgtu
ethynyvs
restore

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 
0
 

Author Comment

by:RobertEhinger
ID: 24105548
OK, I have tried everything that was suggested and now I can not even access the Internet. Instead of getting better the situation seems to be worse.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24105844
Virut is the hardest infection to fight as all infected files can't be cleaned properly so it gets corrupted and need to be replaced.

It was irresponsible of me to even suggest trying to clean it up.

Have you rebooted? tried WinsockFix or LSPFix to restore connection?

0
 

Author Comment

by:RobertEhinger
ID: 24106947
No, but I will tonight when I get home.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24108763
"It was irresponsible of me to even suggest trying to clean it up."

No it wasnt rpggamergirl. I havent found an infection yet that cant be cleaned. In I dont know how many machines I have dealt with bad infections on, I have never lost one (lease tnot hands on, little harder to say that on a forum, without being present to see the whole picture).....Dont wanna start now...

You can pull the HDD out and both clean the infected filers from the machine, and load the registry hives to remove the rootkit values as well....

While this disk is slaved , the previously hidden drivers and registry keys will be visible, and can simply be deleted.
While there, you can replace those 4 systenm files with known good ones from another machine. Wouldnt mess with the backup copies at this point, from WFP....
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24113137
@ john6767

>>> I havent found an infection yet that cant be cleaned. In I dont know how many machines I have dealt with bad infections on<<<

Yes, every infection can basically be cleaned or assume cleaned... .
with Virut and Sality infection Format and Reinstall is the fastest and safest solution.
Depending on how long virut has infected this pc... we know that virut is a buggy file infector that even if the scanner disinfect the files in many cases the files gets corrupted if not deleted by the scanner which results in many programs will not work, errors popping up, and corrupted Windows.

Yes, we can spend all our time cleaning it up and replacing files or reinstalling programs but after all that... and after we have cleaned the system we can not guarantee that the system is really clean or error free afterwards.
It's known that basically with virut/sality it's a losing case for malware fighters.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24113294
I cant say that I have specifically fought those, but if you know what you are looking for, you can tell whats been modified, and can remedy even the nastiest infections to a complete pre infection state.....

I kinda look forward to one........  :^)
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24113298
Actually, if you know of any links off hand, I would lilke to infect a machine, and disassemble some of the codes to see what they do.....
0
 

Author Comment

by:RobertEhinger
ID: 24171479
I have tried everything that was suggested including "You can pull the HDD out and both clean the infected filers from the machine, and load the registry hives to remove the rootkit values as well...." whic I had already done before it came up on this thread. I finally took 2629326's advice and performed a fresh install. If nothing else I have learned a few new tricks along the way as well as some interesting applications and fixes.
0
 

Author Closing Comment

by:RobertEhinger
ID: 31571633
All other suggestions failed. Some actually made the problem worse.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24838771
@johnb6767:
I have done the same (disassembled samples from variants of Virut & sality , executed them on VMs & sandboxes ,did a binary compare for files before, during & after being infected then cleaned ,etc..)
Sality will corrupt MFC applications smaller than 20 KB when being disinfected ,beyond repair, other than that it can be cleaned successfully to a great extent
Virut is cleanable , but in many of the cases it damages the executables also beyond repair, meaning you will get an exe with damaged resources & practically unusable  after the infection is gone, also the latest variants is able to infect web content & archives, which can be a huge overhead to clean up
with regards to executable corruption,.this symptom is not intentional, this is probably bad coding on the virus developers behalf.

a combination of Both is definitely a lost case , rebuild and save your time & efforts.


0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24846423
Just had one (virut) not too long ago, and I was able to clean alot of it by hand (using NTFS permissions (wasnt too bad, and subsequent scans came up clean. I did have quite a few infected files to replace, as they were corrupted.
Nasty little bugger... I love playing with viruses, but this one almost broke my perfect record of cleaning them.... Hope I dont see one again real bad anytime soon.....
Havent played with Salilty yet....
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24846533
With Virut And Sality it all depends on :-
- how long the PE infector has been active, the longer it runs, the more files infected ,the more chances files are corrupted after cleanup.
- how much time are you willing to spend trying to recover
- how many other nasties the Downloader portion of the viruses have downloaded ,seen a case of Virut being distributed through Vundo & other  downloaders , resulting in a very fast reinfection loop.
IMHO, the best method to protect from Viruses , is NOT to get infected in the first place  :)
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24846557
"the best method to protect from Viruses , is NOT to get infected in the first place"
Cmon, you mean I really do win an Xbox 360, and to claim it I just click here? Wheres the fun in that?  :^)
I love our end users... Without them we would be unemployed....
Have a good night....
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now