Re: Windows Update Error (0x80070002) - tried all suggestions

I agree that this is the result of a hijackware infection. This is occuring
b/c of some change the virus left behind. After removing the virus, I ran >
7 different scanners, all coming up clean. This includes the 2 you recommend
below (MSRT and Windows Live Safety scanner.) In the HijackThis log, I’ve
been able to track every process running as a legitimate process. The only
thing I found suspect is the Automatic Update notation: “Service: Automatic
Updates (wuauserv) – Unknown owner – C:\WINDOWS\� I think it’s strange that
it is listed as “unknown owner�, and listed as C:\WINDOWS instead of
C:\WINDOWS\system32, but I'm not sure if this is actually wrong.

What I’m looking for here is additional suggestions on what to try to fix
this particular service. Is there anything I should be looking for
specifically in the registry? Is there a specific way to force-reinstall the
appropriate files from my WinXP CD (besides the steps I already took to do
that based on the KB article)? Is there another setting I should change
anywhere in Windows?

There's got to be a way to reinstall or reset the "Automatic Update" service
so that I can utilize WindowsUpdate again. I appreciate any help if find out
how to do so.

"PA Bear [MS MVP]" wrote:

> You're still seeing the effects of a hijackware infection! (Symantec's
> "FixVundo.exe" hasn't been effective for over 2 years.)
>
> NB: If you had no anti-virus application installed or the subscription had
> expired *when the machine first got infected* and/or your subscription has
> since expired and/or the machine's not been kept fully-patched at Windows
> Update, don't waste your time with any of the below: Format & reinstall
> Windows. A Repair Install will NOT help!
>
> 1. See if you can download/run the MSRT manually:
> http://www.microsoft.com/security/ma...e/default.mspx
>
> NB: Run the FULL scan, not the QUICK scan! You may need to download the
> MSRT on a non-infected machine, then transfer MRT.EXE to the infected
> machine and rename it to SCAN.EXE before running it.
>
> 2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
> (only!) in Safe Mode with Networking, if need be:
> http://onecare.live.com/site/en-us/center/howsafe.htm
>
> 3. Run a /thorough/ check for hijackware, including posting the requested
> logs in an appropriate forum, not here.
>
> Checking for/Help with Hijackware
> http://aumha.net/viewtopic.php?f=30&t=4075
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://www.elephantboycomputers.com/...moving_Malware
>
> **Seek expert assistance in
> http://spywarehammer.com/simplemachi...php?board=10.0,
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
> or other appropriate forums.**
>
> If these procedures look too complex - and there is no shame in admitting
> this isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>
> =====================
> Start a free Windows Update support incident request:
> https://support.microsoft.com/oas/de...spx?gprid=6527
>
> Support for Windows Update:
> http://support.microsoft.com/gp/wusupport
>
> For home users, no-charge support is available by calling 1-866-PCSAFETY in
> the United States and in Canada or by contacting your local Microsoft
> subsidiary. There is no-charge for support calls that are associated with
> security updates.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>
> xwing wrote:
> > I also tried:
> > 11. Rename and re-register files (http://support.microsoft.com/kb/910359)
> > [DLLRegisterServer in wuaueng.dll failed. Return code was: 0x80070005]
> > all others succeeded.
> > 12: Parameters and DNS (http://support.microsoft.com/kb/920151)
> >
> > Per all the "clean" virus scanning, my virus is gone, but I need help in
> > cleaning up the damage it did. Any ideas would be appreciated. I have
> > attached the relevent section of my C:\Windows\WindowsUpdate.log file
> > below:
> <snip>
> <paste>
> > When trying to update my computer (Windows XP, SP2) with Windows Update, I
> > recieve the "[Error number: 0x80070002] The website has encountered a
> > problem and cannot display the page you are trying to view. The options
> > provided below might help you solve the problem. " error.
> >
> > I believe this was a result of a virus I contracted last weekend. The
> > virus
> > brought many hitchhikers with it (Win32/Blarul, Win32/Koebface.gen!D,
> > Win32/NewDotNet, W32.IRCBot, Trojan.Win32.Agent2.iwh,
> > Backdoor.Win32.Agen.tzl, and more...) I was finally able to remove the
> > virus from my computer using several scanners, including Windows Live
> > OneCare, Symantec 9 (which I already had on my computer when it was
> > infected), AdAware, Malwarebytes Anti-Malware, Windows Malicios Software
> > Removal Tool, and several other one-off fixes. Now with several scans
> > (both in "safe" mode and in Normal mode), I cannot find any trace of a
> > virus. However, significant damage to my registry remains.
> >
> > I have already fixed several registry problems by comparing with a "known
> > good" computer that had the same OS and hotfixes. I found that I could
> > not
> > open regedit (w/o renaming it) or many other programs b/c one of the
> > viruses
> > had added the "Debugger = ntsd -d" key to a large number of .exe files. I
> > also found several virus-related entries in my "Run" section of the
> > registry
> > and removed them.
> >
> > Right now, the only problem I still have is that I cannot run
> > WindowsUpdate.
> > When I try to start Automatic Updates service manually, I receive “Error
> > 2:
> > The system cannot find the file specified.� My associated system log
> > entries are � DCOM got error "The system cannot find the file specified. "
> > attempting to start the service wuauserv with arguments "" in order to run
> > the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}� and “The Automatic
> > Updates service failed to start due to the following error:
> > The system cannot find the file specified.�
> >
> > I have searched this forum and others, and tried all the fixes that were
> > previously suggested.
> > 1. Confirmed that my hardware profile is enabled
> > (http://support.microsoft.com/kb/241584)
> > 2. Ran Symantec's "FixVundo.exe"
> > 3. Ran "WUFix.bat"
> > 4. Checked "Group Policy" to confirm that Automatic Updates are not
> > disable
> > or restricted via policy. (http://support.microsoft.com/kb/896224)
> > 5. Renamed all associated files in system32
> > (http://support.microsoft.com/kb/931852)
> > 6. Deleted software distribution directory
> > (http://support.microsoft.com/kb/919749 and
> > http://support.microsoft.com/kb/956698)
> > 7. Set auto configuration (http://support.microsoft.com/kb/958043)
> > 8. IE Browser changes (http://support.microsoft.com/kb/900936)
> > 9. Re-register dll files (http://support.microsoft.com/kb/910359)
> > 10. Clear BITS queue (http://support.microsoft.com/kb/958047)
>
>

Repost:
> 3. Run a thorough check for hijackware, including posting the requested
> logs in an appropriate forum, not here.
>
> Checking for/Help with Hijackware
> http://aumha.net/viewtopic.php?f=30&t=4075
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://www.elephantboycomputers.com/...moving_Malware
>
> **Seek expert assistance in
> http://spywarehammer.com/simplemachi...php?board=10.0,
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://www.dslreports.com/forum/cleanup,
> http://aumha.net/viewforum.php?f=30
> or other appropriate forums.**
>
> If these procedures look too complex - and there is no shame in admitting
> this isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.

PS: A format & clean install of Windows *will* fix the problem.


xwing wrote:
> I agree that this is the result of a hijackware infection. This is
> occuring
> b/c of some change the virus left behind. After removing the virus, I ran
> >
> 7 different scanners, all coming up clean. This includes the 2 you
> recommend below (MSRT and Windows Live Safety scanner.) In the HijackThis
> log, I’ve been able to track every process running as a legitimate
> process.
> The only thing I found suspect is the Automatic Update notation:
> “Service:
> Automatic Updates (wuauserv) – Unknown owner – C:\WINDOWS\� I think it’s
> strange that it is listed as “unknown owner�, and listed as C:\WINDOWS
> instead of C:\WINDOWS\system32, but I'm not sure if this is actually
> wrong.
>
> What I’m looking for here is additional suggestions on what to try to fix
> this particular service. Is there anything I should be looking for
> specifically in the registry? Is there a specific way to force-reinstall
> the appropriate files from my WinXP CD (besides the steps I already took
> to
> do that based on the KB article)? Is there another setting I should
> change
> anywhere in Windows?
>
> There's got to be a way to reinstall or reset the "Automatic Update"
> service
> so that I can utilize WindowsUpdate again. I appreciate any help if find
> out how to do so.
>
> "PA Bear [MS MVP]" wrote:
>> You're still seeing the effects of a hijackware infection! (Symantec's
>> "FixVundo.exe" hasn't been effective for over 2 years.)
>>
>> NB: If you had no anti-virus application installed or the subscription
>> had
>> expired *when the machine first got infected* and/or your subscription
>> has
>> since expired and/or the machine's not been kept fully-patched at Windows
>> Update, don't waste your time with any of the below: Format & reinstall
>> Windows. A Repair Install will NOT help!
>>
>> 1. See if you can download/run the MSRT manually:
>> http://www.microsoft.com/security/ma...e/default.mspx
>>
>> NB: Run the FULL scan, not the QUICK scan! You may need to download the
>> MSRT on a non-infected machine, then transfer MRT.EXE to the infected
>> machine and rename it to SCAN.EXE before running it.
>>
>> 2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
>> scan
>> (only!) in Safe Mode with Networking, if need be:
>> http://onecare.live.com/site/en-us/center/howsafe.htm
>>
>> 3. Run a /thorough/ check for hijackware, including posting the requested
>> logs in an appropriate forum, not here.
>>
>> Checking for/Help with Hijackware
>> http://aumha.net/viewtopic.php?f=30&t=4075
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot.html
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://www.elephantboycomputers.com/...moving_Malware
>>
>> **Seek expert assistance in
>> http://spywarehammer.com/simplemachi...php?board=10.0,
>> http://forums.spybot.info/forumdisplay.php?f=22,
>> http://www.dslreports.com/forum/cleanup,
>> http://aumha.net/viewforum.php?f=30 or other appropriate forums.**
>>
>> If these procedures look too complex - and there is no shame in admitting
>> this isn't your cup of tea - take the machine to a local, reputable and
>> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>>
>> =====================
>> Start a free Windows Update support incident request:
>> https://support.microsoft.com/oas/de...spx?gprid=6527
>>
>> Support for Windows Update:
>> http://support.microsoft.com/gp/wusupport
>>
>> For home users, no-charge support is available by calling 1-866-PCSAFETY
>> in
>> the United States and in Canada or by contacting your local Microsoft
>> subsidiary. There is no-charge for support calls that are associated
>> with
>> security updates.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>
>> xwing wrote:
>>> I also tried:
>>> 11. Rename and re-register files
>>> (http://support.microsoft.com/kb/910359)
>>> [DLLRegisterServer in wuaueng.dll failed. Return code was: 0x80070005]
>>> all others succeeded.
>>> 12: Parameters and DNS (http://support.microsoft.com/kb/920151)
>>>
>>> Per all the "clean" virus scanning, my virus is gone, but I need help in
>>> cleaning up the damage it did. Any ideas would be appreciated. I have
>>> attached the relevent section of my C:\Windows\WindowsUpdate.log file
>>> below:
>> <snip>
>> <paste>
>>> When trying to update my computer (Windows XP, SP2) with Windows Update,
>>> I
>>> recieve the "[Error number: 0x80070002] The website has encountered a
>>> problem and cannot display the page you are trying to view. The options
>>> provided below might help you solve the problem. " error.
>>>
>>> I believe this was a result of a virus I contracted last weekend. The
>>> virus
>>> brought many hitchhikers with it (Win32/Blarul, Win32/Koebface.gen!D,
>>> Win32/NewDotNet, W32.IRCBot, Trojan.Win32.Agent2.iwh,
>>> Backdoor.Win32.Agen.tzl, and more...) I was finally able to remove the
>>> virus from my computer using several scanners, including Windows Live
>>> OneCare, Symantec 9 (which I already had on my computer when it was
>>> infected), AdAware, Malwarebytes Anti-Malware, Windows Malicios Software
>>> Removal Tool, and several other one-off fixes. Now with several scans
>>> (both in "safe" mode and in Normal mode), I cannot find any trace of a
>>> virus. However, significant damage to my registry remains.
>>>
>>> I have already fixed several registry problems by comparing with a
>>> "known
>>> good" computer that had the same OS and hotfixes. I found that I could
>>> not
>>> open regedit (w/o renaming it) or many other programs b/c one of the
>>> viruses
>>> had added the "Debugger = ntsd -d" key to a large number of .exe files.
>>> I
>>> also found several virus-related entries in my "Run" section of the
>>> registry
>>> and removed them.
>>>
>>> Right now, the only problem I still have is that I cannot run
>>> WindowsUpdate.
>>> When I try to start Automatic Updates service manually, I receive “Error
>>> 2:
>>> The system cannot find the file specified.� My associated system log
>>> entries are � DCOM got error "The system cannot find the file specified.
>>> "
>>> attempting to start the service wuauserv with arguments "" in order to
>>> run
>>> the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}� and “The Automatic
>>> Updates service failed to start due to the following error:
>>> The system cannot find the file specified.�
>>>
>>> I have searched this forum and others, and tried all the fixes that were
>>> previously suggested.
>>> 1. Confirmed that my hardware profile is enabled
>>> (http://support.microsoft.com/kb/241584)
>>> 2. Ran Symantec's "FixVundo.exe"
>>> 3. Ran "WUFix.bat"
>>> 4. Checked "Group Policy" to confirm that Automatic Updates are not
>>> disable
>>> or restricted via policy. (http://support.microsoft.com/kb/896224)
>>> 5. Renamed all associated files in system32
>>> (http://support.microsoft.com/kb/931852)
>>> 6. Deleted software distribution directory
>>> (http://support.microsoft.com/kb/919749 and
>>> http://support.microsoft.com/kb/956698)
>>> 7. Set auto configuration (http://support.microsoft.com/kb/958043)
>>> 8. IE Browser changes (http://support.microsoft.com/kb/900936)
>>> 9. Re-register dll files (http://support.microsoft.com/kb/910359)
>>> 10. Clear BITS queue (http://support.microsoft.com/kb/958047)