Automatic update service removes itself after reboot

Issue is that after every reboot automatic updates service stops and removes
itself (from registry and from services).

This started appearing on xp pro machine with sp2. Updatng to sp3 didn't help.

windowsupdate log doesnt help either because all it says is that service
started OK and stopped with OK code (no specified reason for stopping the
service is given). Event log doesnt either show any problems, it only has
events from starting the service ok and stopping it ok.

This sounds like virus/malware/spyware problem, but all the scans come out
clean (f-secure client security (installed), kaspersky (online), Panda
(online), McAfee, ad-aware, trend micro etc.)

I have tried all the fix's I have found from web (including reregistering
required dll's, reinstalling from au.inf etc.) and all these do fix the issue
temporarily, but after reboot the service starts, stays on for less then a
minute and then disappears, yet no delete flag can found from registry before
it goes.

for example reregistering wuaueng.dll brings back all registry keys and Im
able to start the service without problems and get the updates from windows
update or by automatics update. And it works fine until reboot. No suspicious
software can be found from startup that could do this (I have triple checked
everything).

So any good ideas.... This is really getting annoying problem.

Thanks for advance.

- zanttux

System may be infected with malware "Vundo"
http://www.microsoft.com/security/po...=Win32%2fVundo



--

TaurArian [MVP] 2005-2008 - Update Services
http://taurarian.mvps.org
======================================
How to ask a question: http://support.microsoft.com/kb/555375
Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco


"Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
| Issue is that after every reboot automatic updates service stops and removes
| itself (from registry and from services).
|
| This started appearing on xp pro machine with sp2. Updatng to sp3 didn't help.
|
| windowsupdate log doesnt help either because all it says is that service
| started OK and stopped with OK code (no specified reason for stopping the
| service is given). Event log doesnt either show any problems, it only has
| events from starting the service ok and stopping it ok.
|
| This sounds like virus/malware/spyware problem, but all the scans come out
| clean (f-secure client security (installed), kaspersky (online), Panda
| (online), McAfee, ad-aware, trend micro etc.)
|
| I have tried all the fix's I have found from web (including reregistering
| required dll's, reinstalling from au.inf etc.) and all these do fix the issue
| temporarily, but after reboot the service starts, stays on for less then a
| minute and then disappears, yet no delete flag can found from registry before
| it goes.
|
| for example reregistering wuaueng.dll brings back all registry keys and Im
| able to start the service without problems and get the updates from windows
| update or by automatics update. And it works fine until reboot. No suspicious
| software can be found from startup that could do this (I have triple checked
| everything).
|
| So any good ideas.... This is really getting annoying problem.
|
| Thanks for advance.
|
| - zanttux

Virtumonde (alias vundo) was my first thought too, but it aint the case.
VirtumundoBegone, VundoFix or f-secures specific virtumonde removal tool can
not find any trace of it, and this machine has been protected all times by
good hardware firewall + F-Secure client securtiy 7.11 (latest) + all av
scans have been clean.

-Zanttux (certified F-secure expert 2006-2008)

"TaurArian" wrote:

> System may be infected with malware "Vundo"
> http://www.microsoft.com/security/po...=Win32%2fVundo
>
>
>
> --
>
> TaurArian [MVP] 2005-2008 - Update Services
> http://taurarian.mvps.org
> ======================================
> How to ask a question: http://support.microsoft.com/kb/555375
> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
>
>
> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
> | Issue is that after every reboot automatic updates service stops and removes
> | itself (from registry and from services).
> |
> | This started appearing on xp pro machine with sp2. Updatng to sp3 didn't help.
> |
> | windowsupdate log doesnt help either because all it says is that service
> | started OK and stopped with OK code (no specified reason for stopping the
> | service is given). Event log doesnt either show any problems, it only has
> | events from starting the service ok and stopping it ok.
> |
> | This sounds like virus/malware/spyware problem, but all the scans come out
> | clean (f-secure client security (installed), kaspersky (online), Panda
> | (online), McAfee, ad-aware, trend micro etc.)
> |
> | I have tried all the fix's I have found from web (including reregistering
> | required dll's, reinstalling from au.inf etc.) and all these do fix the issue
> | temporarily, but after reboot the service starts, stays on for less then a
> | minute and then disappears, yet no delete flag can found from registry before
> | it goes.
> |
> | for example reregistering wuaueng.dll brings back all registry keys and Im
> | able to start the service without problems and get the updates from windows
> | update or by automatics update. And it works fine until reboot. No suspicious
> | software can be found from startup that could do this (I have triple checked
> | everything).
> |
> | So any good ideas.... This is really getting annoying problem.
> |
> | Thanks for advance.
> |
> | - zanttux
>
>
>

No current Removal Tool will identify and remove all of the most-recent
Vundo variants (new ones are surfacing every day), which are usually
accompanied by ZLOB and SDBot variant(s), all protected by a rootkit. You
need assistance from another, more-experienced expert on such matters.

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/



Zanttux wrote:
> Virtumonde (alias vundo) was my first thought too, but it aint the case.
> VirtumundoBegone, VundoFix or f-secures specific virtumonde removal tool
> can
> not find any trace of it, and this machine has been protected all times by
> good hardware firewall + F-Secure client securtiy 7.11 (latest) + all av
> scans have been clean.
>
> -Zanttux (certified F-secure expert 2006-2008)
>
> "TaurArian" wrote:
>
>> System may be infected with malware "Vundo"
>> http://www.microsoft.com/security/po...=Win32%2fVundo
>>
>>
>>
>> --
>>
>> TaurArian [MVP] 2005-2008 - Update Services
>> http://taurarian.mvps.org
>> ======================================
>> How to ask a question: http://support.microsoft.com/kb/555375
>> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
>>
>>
>> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
>> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
>>> Issue is that after every reboot automatic updates service stops and
>>> removes itself (from registry and from services).
>>>
>>> This started appearing on xp pro machine with sp2. Updatng to sp3 didn't
>>> help.
>>>
>>> windowsupdate log doesnt help either because all it says is that service
>>> started OK and stopped with OK code (no specified reason for stopping
>>> the
>>> service is given). Event log doesnt either show any problems, it only
>>> has
>>> events from starting the service ok and stopping it ok.
>>>
>>> This sounds like virus/malware/spyware problem, but all the scans come
>>> out
>>> clean (f-secure client security (installed), kaspersky (online), Panda
>>> (online), McAfee, ad-aware, trend micro etc.)
>>>
>>> I have tried all the fix's I have found from web (including
>>> reregistering
>>> required dll's, reinstalling from au.inf etc.) and all these do fix the
>>> issue temporarily, but after reboot the service starts, stays on for
>>> less
>>> then a minute and then disappears, yet no delete flag can found from
>>> registry before it goes.
>>>
>>> for example reregistering wuaueng.dll brings back all registry keys and
>>> Im
>>> able to start the service without problems and get the updates from
>>> windows update or by automatics update. And it works fine until reboot.
>>> No suspicious software can be found from startup that could do this (I
>>> have triple checked everything).
>>>
>>> So any good ideas.... This is really getting annoying problem.
>>>
>>> Thanks for advance.
>>>
>>> - zanttux

Ok, could you please at least suggest some other means of fixing this issue
then blaming simply just malware/spyware. Hijackthis is tool that I use
regularly and it reveals nothing that would explain this. Hell even the logs
from scans before this problem started are same as scan logs after this
problem. Absolutely nothing has changed.

"PA Bear [MS MVP]" wrote:

> No current Removal Tool will identify and remove all of the most-recent
> Vundo variants (new ones are surfacing every day), which are usually
> accompanied by ZLOB and SDBot variant(s), all protected by a rootkit. You
> need assistance from another, more-experienced expert on such matters.
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware with
> assistance from an expert. **Post your log to
> http://aumha.net/viewforum.php?f=30,
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html, or other appropriate forums for review
> by an expert in such matters, not here.**
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
>
> Zanttux wrote:
> > Virtumonde (alias vundo) was my first thought too, but it aint the case.
> > VirtumundoBegone, VundoFix or f-secures specific virtumonde removal tool
> > can
> > not find any trace of it, and this machine has been protected all times by
> > good hardware firewall + F-Secure client securtiy 7.11 (latest) + all av
> > scans have been clean.
> >
> > -Zanttux (certified F-secure expert 2006-2008)
> >
> > "TaurArian" wrote:
> >
> >> System may be infected with malware "Vundo"
> >> http://www.microsoft.com/security/po...=Win32%2fVundo
> >>
> >>
> >>
> >> --
> >>
> >> TaurArian [MVP] 2005-2008 - Update Services
> >> http://taurarian.mvps.org
> >> ======================================
> >> How to ask a question: http://support.microsoft.com/kb/555375
> >> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
> >>
> >>
> >> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
> >> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
> >>> Issue is that after every reboot automatic updates service stops and
> >>> removes itself (from registry and from services).
> >>>
> >>> This started appearing on xp pro machine with sp2. Updatng to sp3 didn't
> >>> help.
> >>>
> >>> windowsupdate log doesnt help either because all it says is that service
> >>> started OK and stopped with OK code (no specified reason for stopping
> >>> the
> >>> service is given). Event log doesnt either show any problems, it only
> >>> has
> >>> events from starting the service ok and stopping it ok.
> >>>
> >>> This sounds like virus/malware/spyware problem, but all the scans come
> >>> out
> >>> clean (f-secure client security (installed), kaspersky (online), Panda
> >>> (online), McAfee, ad-aware, trend micro etc.)
> >>>
> >>> I have tried all the fix's I have found from web (including
> >>> reregistering
> >>> required dll's, reinstalling from au.inf etc.) and all these do fix the
> >>> issue temporarily, but after reboot the service starts, stays on for
> >>> less
> >>> then a minute and then disappears, yet no delete flag can found from
> >>> registry before it goes.
> >>>
> >>> for example reregistering wuaueng.dll brings back all registry keys and
> >>> Im
> >>> able to start the service without problems and get the updates from
> >>> windows update or by automatics update. And it works fine until reboot.
> >>> No suspicious software can be found from startup that could do this (I
> >>> have triple checked everything).
> >>>
> >>> So any good ideas.... This is really getting annoying problem.
> >>>
> >>> Thanks for advance.
> >>>
> >>> - zanttux
>
>

HIjackThis is only one of many diagnostic tools we use to detect and remove
such infections. What may appear to you as a completely clean HJT log may
not appear the same way to an expert in such matters.

You will need the assistance of such an expert who in all likelihood will
have you run some other diagnostic scans and utitilies and who will then
have to write a script to remove an untold number of files, folders, and
Registry entries.

I can strongly recommend this forum: http://aumha.net/viewforum.php?f=30
--
~PA Bear


Zanttux wrote:
> Ok, could you please at least suggest some other means of fixing this
> issue
> then blaming simply just malware/spyware. Hijackthis is tool that I use
> regularly and it reveals nothing that would explain this. Hell even the
> logs
> from scans before this problem started are same as scan logs after this
> problem. Absolutely nothing has changed.
>
> "PA Bear [MS MVP]" wrote:
>
>> No current Removal Tool will identify and remove all of the most-recent
>> Vundo variants (new ones are surfacing every day), which are usually
>> accompanied by ZLOB and SDBot variant(s), all protected by a rootkit.
>> You
>> need assistance from another, more-experienced expert on such matters.
>>
>> When all else fails, HijackThis v2.0.2
>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
>> It will help you to both identify and remove any hijackware/spyware with
>> assistance from an expert. **Post your log to
>> http://aumha.net/viewforum.php?f=30,
>> http://forums.spybot.info/forumdisplay.php?f=22,
>> http://castlecops.com/forum67.html, or other appropriate forums for
>> review
>> by an expert in such matters, not here.**
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>>
>>
>> Zanttux wrote:
>>> Virtumonde (alias vundo) was my first thought too, but it aint the case.
>>> VirtumundoBegone, VundoFix or f-secures specific virtumonde removal tool
>>> can
>>> not find any trace of it, and this machine has been protected all times
>>> by
>>> good hardware firewall + F-Secure client securtiy 7.11 (latest) + all av
>>> scans have been clean.
>>>
>>> -Zanttux (certified F-secure expert 2006-2008)
>>>
>>> "TaurArian" wrote:
>>>
>>>> System may be infected with malware "Vundo"
>>>> http://www.microsoft.com/security/po...=Win32%2fVundo
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> TaurArian [MVP] 2005-2008 - Update Services
>>>> http://taurarian.mvps.org
>>>> ======================================
>>>> How to ask a question: http://support.microsoft.com/kb/555375
>>>> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
>>>>
>>>>
>>>> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
>>>> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
>>>>> Issue is that after every reboot automatic updates service stops and
>>>>> removes itself (from registry and from services).
>>>>>
>>>>> This started appearing on xp pro machine with sp2. Updatng to sp3
>>>>> didn't
>>>>> help.
>>>>>
>>>>> windowsupdate log doesnt help either because all it says is that
>>>>> service
>>>>> started OK and stopped with OK code (no specified reason for stopping
>>>>> the
>>>>> service is given). Event log doesnt either show any problems, it only
>>>>> has
>>>>> events from starting the service ok and stopping it ok.
>>>>>
>>>>> This sounds like virus/malware/spyware problem, but all the scans come
>>>>> out
>>>>> clean (f-secure client security (installed), kaspersky (online), Panda
>>>>> (online), McAfee, ad-aware, trend micro etc.)
>>>>>
>>>>> I have tried all the fix's I have found from web (including
>>>>> reregistering
>>>>> required dll's, reinstalling from au.inf etc.) and all these do fix
>>>>> the
>>>>> issue temporarily, but after reboot the service starts, stays on for
>>>>> less
>>>>> then a minute and then disappears, yet no delete flag can found from
>>>>> registry before it goes.
>>>>>
>>>>> for example reregistering wuaueng.dll brings back all registry keys
>>>>> and
>>>>> Im
>>>>> able to start the service without problems and get the updates from
>>>>> windows update or by automatics update. And it works fine until
>>>>> reboot.
>>>>> No suspicious software can be found from startup that could do this (I
>>>>> have triple checked everything).
>>>>>
>>>>> So any good ideas.... This is really getting annoying problem.
>>>>>
>>>>> Thanks for advance.
>>>>>
>>>>> - zanttux

Zanttux wrote:

> Ok, could you please at least suggest some other means of fixing this issue
> then blaming simply just malware/spyware.

I promise you, this is really unlikely to be caused by a bug in Windows. (Could
conceivably be due to a hardware failure, but that's pretty unlikely too.)
Malware is by far the most likely cause, even in the absence of any other
symptoms. Second most likely, at a guess, would be security software misbehaving.

Harry.

For past 6 years I have been fixing hardware/software and operating system
issues on a daily basis as a profession, so I could consider my self a well
above normal home user level.

For past 3 years I have been doing a lot of virus/spyware/malware/rootkit
etc cleaning and even F-secure (yes, the antivirus company) is glad to call
to me certified expert on these matters. (2006-2008)

So trust me, it aint virus/malware/spyware problem.

Now if this would be normal virus/malware issue, I would have found solution
to it allready. But it aint. Its simply malfunctioning service that wants to
send stop signal to itself for some reason on every reboot.

and since reregistering dll's fixes the service temporarily, it is very
unlikely that those dll's would have been replaced with suspicious ones.

Since reinstalling windows isnt possibility atm and Im 100% sure it aint
virus problem, I must once again ask you to at least suggest some other means
of fixing this.

What I mean by this, could you suggest procedures howto make sure all AU's
components are in right places, all registry keys exists etc etc.

Now that would be 1000 times more helpfull for me then, well the pointless
comments of consulting expert.

Im sorry if I sound angry, but I have been working with this issue 3 days
now and its starting get on my nervs.

> > issue

"PA Bear [MS MVP]" wrote:

> HIjackThis is only one of many diagnostic tools we use to detect and remove
> such infections. What may appear to you as a completely clean HJT log may
> not appear the same way to an expert in such matters.
>
> You will need the assistance of such an expert who in all likelihood will
> have you run some other diagnostic scans and utitilies and who will then
> have to write a script to remove an untold number of files, folders, and
> Registry entries.
>
> I can strongly recommend this forum: http://aumha.net/viewforum.php?f=30
> --
> ~PA Bear
>
>
> Zanttux wrote:
> > Ok, could you please at least suggest some other means of fixing this
> > issue
> > then blaming simply just malware/spyware. Hijackthis is tool that I use
> > regularly and it reveals nothing that would explain this. Hell even the
> > logs
> > from scans before this problem started are same as scan logs after this
> > problem. Absolutely nothing has changed.
> >
> > "PA Bear [MS MVP]" wrote:
> >
> >> No current Removal Tool will identify and remove all of the most-recent
> >> Vundo variants (new ones are surfacing every day), which are usually
> >> accompanied by ZLOB and SDBot variant(s), all protected by a rootkit.
> >> You
> >> need assistance from another, more-experienced expert on such matters.
> >>
> >> When all else fails, HijackThis v2.0.2
> >> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
> >> It will help you to both identify and remove any hijackware/spyware with
> >> assistance from an expert. **Post your log to
> >> http://aumha.net/viewforum.php?f=30,
> >> http://forums.spybot.info/forumdisplay.php?f=22,
> >> http://castlecops.com/forum67.html, or other appropriate forums for
> >> review
> >> by an expert in such matters, not here.**
> >> --
> >> ~Robear Dyer (PA Bear)
> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> >> AumHa VSOP & Admin http://aumha.net
> >> DTS-L http://dts-l.net/
> >>
> >>
> >>
> >> Zanttux wrote:
> >>> Virtumonde (alias vundo) was my first thought too, but it aint the case.
> >>> VirtumundoBegone, VundoFix or f-secures specific virtumonde removal tool
> >>> can
> >>> not find any trace of it, and this machine has been protected all times
> >>> by
> >>> good hardware firewall + F-Secure client securtiy 7.11 (latest) + all av
> >>> scans have been clean.
> >>>
> >>> -Zanttux (certified F-secure expert 2006-2008)
> >>>
> >>> "TaurArian" wrote:
> >>>
> >>>> System may be infected with malware "Vundo"
> >>>> http://www.microsoft.com/security/po...=Win32%2fVundo
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> TaurArian [MVP] 2005-2008 - Update Services
> >>>> http://taurarian.mvps.org
> >>>> ======================================
> >>>> How to ask a question: http://support.microsoft.com/kb/555375
> >>>> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
> >>>>
> >>>>
> >>>> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
> >>>> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
> >>>>> Issue is that after every reboot automatic updates service stops and
> >>>>> removes itself (from registry and from services).
> >>>>>
> >>>>> This started appearing on xp pro machine with sp2. Updatng to sp3
> >>>>> didn't
> >>>>> help.
> >>>>>
> >>>>> windowsupdate log doesnt help either because all it says is that
> >>>>> service
> >>>>> started OK and stopped with OK code (no specified reason for stopping
> >>>>> the
> >>>>> service is given). Event log doesnt either show any problems, it only
> >>>>> has
> >>>>> events from starting the service ok and stopping it ok.
> >>>>>
> >>>>> This sounds like virus/malware/spyware problem, but all the scans come
> >>>>> out
> >>>>> clean (f-secure client security (installed), kaspersky (online), Panda
> >>>>> (online), McAfee, ad-aware, trend micro etc.)
> >>>>>
> >>>>> I have tried all the fix's I have found from web (including
> >>>>> reregistering
> >>>>> required dll's, reinstalling from au.inf etc.) and all these do fix
> >>>>> the
> >>>>> issue temporarily, but after reboot the service starts, stays on for
> >>>>> less
> >>>>> then a minute and then disappears, yet no delete flag can found from
> >>>>> registry before it goes.
> >>>>>
> >>>>> for example reregistering wuaueng.dll brings back all registry keys
> >>>>> and
> >>>>> Im
> >>>>> able to start the service without problems and get the updates from
> >>>>> windows update or by automatics update. And it works fine until
> >>>>> reboot.
> >>>>> No suspicious software can be found from startup that could do this (I
> >>>>> have triple checked everything).
> >>>>>
> >>>>> So any good ideas.... This is really getting annoying problem.
> >>>>>
> >>>>> Thanks for advance.
> >>>>>
> >>>>> - zanttux
>
>

Check the registry value for "UpdatesDisableNotify"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000


How to back up, edit, and restore the registry in Windows XP and Windows Server 2003
http://support.microsoft.com/kb/322756

Disclaimer: Modifying the registry can cause serious problems that may require you to
reinstall your operating system. Use the information provided at your own risk.

Don't get angry, we're only trying to help and the most likely cause at the moment is
virus/malware.
--

TaurArian [MVP] 2005-2008 - Update Services
http://taurarian.mvps.org
======================================
How to ask a question: http://support.microsoft.com/kb/555375
Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco


"Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
news:5C19B767-C278-41EE-BF0D-C509783D88D1@microsoft.com...
| For past 6 years I have been fixing hardware/software and operating system
| issues on a daily basis as a profession, so I could consider my self a well
| above normal home user level.
|
| For past 3 years I have been doing a lot of virus/spyware/malware/rootkit
| etc cleaning and even F-secure (yes, the antivirus company) is glad to call
| to me certified expert on these matters. (2006-2008)
|
| So trust me, it aint virus/malware/spyware problem.
|
| Now if this would be normal virus/malware issue, I would have found solution
| to it allready. But it aint. Its simply malfunctioning service that wants to
| send stop signal to itself for some reason on every reboot.
|
| and since reregistering dll's fixes the service temporarily, it is very
| unlikely that those dll's would have been replaced with suspicious ones.
|
| Since reinstalling windows isnt possibility atm and Im 100% sure it aint
| virus problem, I must once again ask you to at least suggest some other means
| of fixing this.
|
| What I mean by this, could you suggest procedures howto make sure all AU's
| components are in right places, all registry keys exists etc etc.
|
| Now that would be 1000 times more helpfull for me then, well the pointless
| comments of consulting expert.
|
| Im sorry if I sound angry, but I have been working with this issue 3 days
| now and its starting get on my nervs.
|
| > > issue
|
| "PA Bear [MS MVP]" wrote:
|
| > HIjackThis is only one of many diagnostic tools we use to detect and remove
| > such infections. What may appear to you as a completely clean HJT log may
| > not appear the same way to an expert in such matters.
| >
| > You will need the assistance of such an expert who in all likelihood will
| > have you run some other diagnostic scans and utitilies and who will then
| > have to write a script to remove an untold number of files, folders, and
| > Registry entries.
| >
| > I can strongly recommend this forum: http://aumha.net/viewforum.php?f=30
| > --
| > ~PA Bear
| >
| >
| > Zanttux wrote:
| > > Ok, could you please at least suggest some other means of fixing this
| > > issue
| > > then blaming simply just malware/spyware. Hijackthis is tool that I use
| > > regularly and it reveals nothing that would explain this. Hell even the
| > > logs
| > > from scans before this problem started are same as scan logs after this
| > > problem. Absolutely nothing has changed.
| > >
| > > "PA Bear [MS MVP]" wrote:
| > >
| > >> No current Removal Tool will identify and remove all of the most-recent
| > >> Vundo variants (new ones are surfacing every day), which are usually
| > >> accompanied by ZLOB and SDBot variant(s), all protected by a rootkit.
| > >> You
| > >> need assistance from another, more-experienced expert on such matters.
| > >>
| > >> When all else fails, HijackThis v2.0.2
| > >> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
| > >> It will help you to both identify and remove any hijackware/spyware with
| > >> assistance from an expert. **Post your log to
| > >> http://aumha.net/viewforum.php?f=30,
| > >> http://forums.spybot.info/forumdisplay.php?f=22,
| > >> http://castlecops.com/forum67.html, or other appropriate forums for
| > >> review
| > >> by an expert in such matters, not here.**
| > >> --
| > >> ~Robear Dyer (PA Bear)
| > >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
| > >> AumHa VSOP & Admin http://aumha.net
| > >> DTS-L http://dts-l.net/
| > >>
| > >>
| > >>
| > >> Zanttux wrote:
| > >>> Virtumonde (alias vundo) was my first thought too, but it aint the case.
| > >>> VirtumundoBegone, VundoFix or f-secures specific virtumonde removal tool
| > >>> can
| > >>> not find any trace of it, and this machine has been protected all times
| > >>> by
| > >>> good hardware firewall + F-Secure client securtiy 7.11 (latest) + all av
| > >>> scans have been clean.
| > >>>
| > >>> -Zanttux (certified F-secure expert 2006-2008)
| > >>>
| > >>> "TaurArian" wrote:
| > >>>
| > >>>> System may be infected with malware "Vundo"
| > >>>> http://www.microsoft.com/security/po...=Win32%2fVundo
| > >>>>
| > >>>>
| > >>>>
| > >>>> --
| > >>>>
| > >>>> TaurArian [MVP] 2005-2008 - Update Services
| > >>>> http://taurarian.mvps.org
| > >>>> ======================================
| > >>>> How to ask a question: http://support.microsoft.com/kb/555375
| > >>>> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
| > >>>>
| > >>>>
| > >>>> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
| > >>>> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
| > >>>>> Issue is that after every reboot automatic updates service stops and
| > >>>>> removes itself (from registry and from services).
| > >>>>>
| > >>>>> This started appearing on xp pro machine with sp2. Updatng to sp3
| > >>>>> didn't
| > >>>>> help.
| > >>>>>
| > >>>>> windowsupdate log doesnt help either because all it says is that
| > >>>>> service
| > >>>>> started OK and stopped with OK code (no specified reason for stopping
| > >>>>> the
| > >>>>> service is given). Event log doesnt either show any problems, it only
| > >>>>> has
| > >>>>> events from starting the service ok and stopping it ok.
| > >>>>>
| > >>>>> This sounds like virus/malware/spyware problem, but all the scans come
| > >>>>> out
| > >>>>> clean (f-secure client security (installed), kaspersky (online), Panda
| > >>>>> (online), McAfee, ad-aware, trend micro etc.)
| > >>>>>
| > >>>>> I have tried all the fix's I have found from web (including
| > >>>>> reregistering
| > >>>>> required dll's, reinstalling from au.inf etc.) and all these do fix
| > >>>>> the
| > >>>>> issue temporarily, but after reboot the service starts, stays on for
| > >>>>> less
| > >>>>> then a minute and then disappears, yet no delete flag can found from
| > >>>>> registry before it goes.
| > >>>>>
| > >>>>> for example reregistering wuaueng.dll brings back all registry keys
| > >>>>> and
| > >>>>> Im
| > >>>>> able to start the service without problems and get the updates from
| > >>>>> windows update or by automatics update. And it works fine until
| > >>>>> reboot.
| > >>>>> No suspicious software can be found from startup that could do this (I
| > >>>>> have triple checked everything).
| > >>>>>
| > >>>>> So any good ideas.... This is really getting annoying problem.
| > >>>>>
| > >>>>> Thanks for advance.
| > >>>>>
| > >>>>> - zanttux
| >
| >

Harry wrote:

"I promise you, this is really unlikely to be caused by a bug in Windows."

I never said it would be bug in windows and it wasnt. But thank you for
your answer, it lead me to right direction and issue is now solved. It was
combination of corrupted dll (not infected by virus or malware but most
likely corrupted during latest hardware issues, thorough file comparison
against working similar setup revealed this).

"Harry Johnston [MVP]" wrote:

> Zanttux wrote:
>
> > Ok, could you please at least suggest some other means of fixing this issue
> > then blaming simply just malware/spyware.
>
> I promise you, this is really unlikely to be caused by a bug in Windows. (Could
> conceivably be due to a hardware failure, but that's pretty unlikely too.)
> Malware is by far the most likely cause, even in the absence of any other
> symptoms. Second most likely, at a guess, would be security software misbehaving.
>
> Harry.
>

You are more than free not to take my advice.

Zanttux wrote:
> For past 6 years I have been fixing hardware/software and operating system
> issues on a daily basis as a profession, so I could consider my self a
> well
> above normal home user level.
>
> For past 3 years I have been doing a lot of virus/spyware/malware/rootkit
> etc cleaning and even F-secure (yes, the antivirus company) is glad to
> call
> to me certified expert on these matters. (2006-2008)
>
> So trust me, it aint virus/malware/spyware problem.
>
> Now if this would be normal virus/malware issue, I would have found
> solution
> to it allready. But it aint. Its simply malfunctioning service that wants
> to send stop signal to itself for some reason on every reboot.
>
> and since reregistering dll's fixes the service temporarily, it is very
> unlikely that those dll's would have been replaced with suspicious ones.
>
> Since reinstalling windows isnt possibility atm and Im 100% sure it aint
> virus problem, I must once again ask you to at least suggest some other
> means of fixing this.
>
> What I mean by this, could you suggest procedures howto make sure all AU's
> components are in right places, all registry keys exists etc etc.
>
> Now that would be 1000 times more helpfull for me then, well the pointless
> comments of consulting expert.
>
> Im sorry if I sound angry, but I have been working with this issue 3 days
> now and its starting get on my nervs.
>
>>> issue
>
> "PA Bear [MS MVP]" wrote:
>
>> HIjackThis is only one of many diagnostic tools we use to detect and
>> remove
>> such infections. What may appear to you as a completely clean HJT log
>> may
>> not appear the same way to an expert in such matters.
>>
>> You will need the assistance of such an expert who in all likelihood will
>> have you run some other diagnostic scans and utitilies and who will then
>> have to write a script to remove an untold number of files, folders, and
>> Registry entries.
>>
>> I can strongly recommend this forum: http://aumha.net/viewforum.php?f=30
>> --
>> ~PA Bear
>>
>>
>> Zanttux wrote:
>>> Ok, could you please at least suggest some other means of fixing this
>>> issue
>>> then blaming simply just malware/spyware. Hijackthis is tool that I use
>>> regularly and it reveals nothing that would explain this. Hell even the
>>> logs
>>> from scans before this problem started are same as scan logs after this
>>> problem. Absolutely nothing has changed.
>>>
>>> "PA Bear [MS MVP]" wrote:
>>>
>>>> No current Removal Tool will identify and remove all of the most-recent
>>>> Vundo variants (new ones are surfacing every day), which are usually
>>>> accompanied by ZLOB and SDBot variant(s), all protected by a rootkit.
>>>> You
>>>> need assistance from another, more-experienced expert on such matters.
>>>>
>>>> When all else fails, HijackThis v2.0.2
>>>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to
>>>> use.
>>>> It will help you to both identify and remove any hijackware/spyware
>>>> with
>>>> assistance from an expert. **Post your log to
>>>> http://aumha.net/viewforum.php?f=30,
>>>> http://forums.spybot.info/forumdisplay.php?f=22,
>>>> http://castlecops.com/forum67.html, or other appropriate forums for
>>>> review
>>>> by an expert in such matters, not here.**
>>>> --
>>>> ~Robear Dyer (PA Bear)
>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>> AumHa VSOP & Admin http://aumha.net
>>>> DTS-L http://dts-l.net/
>>>>
>>>>
>>>>
>>>> Zanttux wrote:
>>>>> Virtumonde (alias vundo) was my first thought too, but it aint the
>>>>> case.
>>>>> VirtumundoBegone, VundoFix or f-secures specific virtumonde removal
>>>>> tool
>>>>> can
>>>>> not find any trace of it, and this machine has been protected all
>>>>> times
>>>>> by
>>>>> good hardware firewall + F-Secure client securtiy 7.11 (latest) + all
>>>>> av
>>>>> scans have been clean.
>>>>>
>>>>> -Zanttux (certified F-secure expert 2006-2008)
>>>>>
>>>>> "TaurArian" wrote:
>>>>>
>>>>>> System may be infected with malware "Vundo"
>>>>>> http://www.microsoft.com/security/po...=Win32%2fVundo
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> TaurArian [MVP] 2005-2008 - Update Services
>>>>>> http://taurarian.mvps.org
>>>>>> ======================================
>>>>>> How to ask a question: http://support.microsoft.com/kb/555375
>>>>>> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
>>>>>>
>>>>>>
>>>>>> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
>>>>>> news:DA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
>>>>>>> Issue is that after every reboot automatic updates service stops and
>>>>>>> removes itself (from registry and from services).
>>>>>>>
>>>>>>> This started appearing on xp pro machine with sp2. Updatng to sp3
>>>>>>> didn't
>>>>>>> help.
>>>>>>>
>>>>>>> windowsupdate log doesnt help either because all it says is that
>>>>>>> service
>>>>>>> started OK and stopped with OK code (no specified reason for
>>>>>>> stopping
>>>>>>> the
>>>>>>> service is given). Event log doesnt either show any problems, it
>>>>>>> only
>>>>>>> has
>>>>>>> events from starting the service ok and stopping it ok.
>>>>>>>
>>>>>>> This sounds like virus/malware/spyware problem, but all the scans
>>>>>>> come
>>>>>>> out
>>>>>>> clean (f-secure client security (installed), kaspersky (online),
>>>>>>> Panda
>>>>>>> (online), McAfee, ad-aware, trend micro etc.)
>>>>>>>
>>>>>>> I have tried all the fix's I have found from web (including
>>>>>>> reregistering
>>>>>>> required dll's, reinstalling from au.inf etc.) and all these do fix
>>>>>>> the
>>>>>>> issue temporarily, but after reboot the service starts, stays on for
>>>>>>> less
>>>>>>> then a minute and then disappears, yet no delete flag can found from
>>>>>>> registry before it goes.
>>>>>>>
>>>>>>> for example reregistering wuaueng.dll brings back all registry keys
>>>>>>> and
>>>>>>> Im
>>>>>>> able to start the service without problems and get the updates from
>>>>>>> windows update or by automatics update. And it works fine until
>>>>>>> reboot.
>>>>>>> No suspicious software can be found from startup that could do this
>>>>>>> (I
>>>>>>> have triple checked everything).
>>>>>>>
>>>>>>> So any good ideas.... This is really getting annoying problem.
>>>>>>>
>>>>>>> Thanks for advance.
>>>>>>>
>>>>>>> - zanttux

Zanttux wrote:

> I never said it would be bug in windows and it wasnt. But thank you for
> your answer, it lead me to right direction and issue is now solved. It was
> combination of corrupted dll (not infected by virus or malware but most
> likely corrupted during latest hardware issues, thorough file comparison
> against working similar setup revealed this).

You're welcome. Note that it might have helped lead us in the right direction
if you'd mentioned that you'd been having hardware problems recently.

Harry.

[Suupala]

I had the exact same problem. After many frustrating sleepless nights I finally have a solution that worked for me. I narrowed it down to a nice little process called sgvhost.exe. No software recognized it as being bad in any way. Removed it from my system folder and registry, problem gone. As there were no hits on Google and lots of people with similar issues, I decided to post this solution here.

A small comment to the discussion above: People search solid solutions and clear instructions from these threads. The least useful and most frustrating advice is "why don't you let us professionals handle this, you're too stupid", no matter how kindly formulated. I for one never want to pay for anything, that's why we have the internet.