Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Automatic Updates Service won't start - Error 2

197 views
Skip to first unread message

PA Bear [MS MVP]

unread,
Mar 28, 2009, 1:06:43 PM3/28/09
to
You have much more work to do!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

2. Run the Windows Live Safety Center's 'Protection' scan (only!) in Safe
Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
=====================
Start a free Windows Update support incident request:
https://support.microsoft.com/oas/default.aspx?gprid=6527

Support for Windows Update:
http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated with
security updates.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


shamrin wrote:
> Trying to start Automatic Updates results in the error message:
>
> Could not start the Automatic Updates service on Local Computer.
> Error 2: The system cannot find the file specified
>
> I get the same error message when trying to start Background Intelligent
> Transfer Service.
>
> I believe both of these services have been hosed by viruses that have now
> been removed. I managed to do a manual update to SP3 but this has not
> resolved the problem. TIA
>
> /sch

shamrin

unread,
Mar 28, 2009, 1:22:01 PM3/28/09
to
Thanks for your response PA Bear. I think you may have misunderstood where we
are in the process. I have got the malware out of the machine, it is virus,
trojan, crapware free now.

However, the infection has left a few tracks that need to be cleaned up
apparently, i.e., Windows Update will not work becasue the BITS and AU
services won't start. When attempting to start them, they respond with the
message I mention above:

Error 2: The system cannot find the file specified

Cheers,

/sch

PA Bear [MS MVP]

unread,
Mar 28, 2009, 7:51:26 PM3/28/09
to
I fully understood. I don't think you've gotten all of "the malware out of
the machine" and I do not think it's free of any/all traces of the virus,
trojan, and crapware yet. If it were, AU would be working.

paulatkinson

unread,
Apr 13, 2009, 10:29:27 PM4/13/09
to

Check the ImagePath Value in the Registry key
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv and verify it is
"%systemroot%\system32\svchost.exe -k netsvcs" and not a fake path like
%fystemroot%\.. netsvcs


--
paulatkinson
------------------------------------------------------------------------
paulatkinson's Profile: http://forums.techarena.in/members/89791.htm
View this thread: http://forums.techarena.in/windows-update/1149963.htm

http://forums.techarena.in

karthigeyan

unread,
Apr 15, 2009, 8:28:44 AM4/15/09
to

As you said I found that for Automatic Update and Background
Intelligence Transfer services the %s has been changed to %f but This is
not getting edited in either services.msc or in regedit


--
karthigeyan
------------------------------------------------------------------------
karthigeyan's Profile: http://forums.techarena.in/members/90186.htm

paulatkinson

unread,
Apr 15, 2009, 9:40:20 AM4/15/09
to

When you say you can't edit the ImagePath Value do you mean you can't
open regedit? If thats the case then are you an administrator on the
computer? If you are an administrator an get "access denied" when
running regedit then type the following command on the Command Prompt or
at the Run Command "REG add
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
DisableRegistryTools /t REG_DWORD /d 0 /f" You should then be able to
run regedit.


--
paulatkinson
------------------------------------------------------------------------
paulatkinson's Profile: http://forums.techarena.in/members/89791.htm

karthigeyan

unread,
Apr 15, 2009, 9:46:25 AM4/15/09
to

I can open regedit .I am the administrator but when editing this
particular BITS and AU it is not getting edited what to do Pls help


--
karthigeyan
------------------------------------------------------------------------
karthigeyan's Profile: http://forums.techarena.in/members/90186.htm

paulatkinson

unread,
Apr 15, 2009, 10:46:40 AM4/15/09
to

Sounds like permissions were changed because of the spyware. Below are
the steps for Windows XP Professional you need to follow. In the other
versions of XP or Windows 2000 its the same idea except maybe with minor
differences in the steps.
1) Open Regedit
2) Select Key "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv"
3) Right Click Key - Select Permissions
If permissions are effected Administrators will not have Full Control"
follow Step 4 -11. If Administrators have Full Control then you have
another problem. Don't even bother doing steps 4-11
4) Select Advanced Button
5) Select Owner Tab
6) Add "Administrators" if it is not there. If it is Highlight
Administrators and click Apply Button
7) Click "OK" this will close "Advanced Security for wuauserv" box
8) Select "Administrators" in "Permissions for wuauser" box
9) Check Allow - Full Control box (If check boxes are greyed out then
9a) Select Advanced Button
9b) Uncheck "Inherit from parent...defined here" box
9c) Click "Copy" button
9d) Click "OK" in "Advanced Security for Wuaserv" Box
9e) You should now be able to check the Allow Full Contol box
10) Click "Apply" - If you don't receive an error your golden
11) Click "OK"

You should then be able to modify the value ImagePath.

The spyware that you had probably effected several registry keys so you
may have to follow steps 3 - 11 again if you can't modify other keys.


Good Luck!!!


--
paulatkinson
------------------------------------------------------------------------
paulatkinson's Profile: http://forums.techarena.in/members/89791.htm

mrb.v...@gmail.com

unread,
Apr 16, 2009, 5:56:21 PM4/16/09
to
I have the exact same problem and got as far as this. But now when I
try to start the services it says access denied. When I go in to
change the log on account is says access denied as well. I checked
the permissions on svchost and it already said Everyone had Full
Control so I didn't touch it. Anyone have any ideas?

PA Bear [MS MVP]

unread,
Apr 16, 2009, 6:23:18 PM4/16/09
to
Yes: Start a new thread about /your/ problem, please.

the great@discussions.microsoft.com Sandhu the great

unread,
Apr 20, 2009, 6:35:01 AM4/20/09
to
You need to run subinacl to reset the permissin back to default.
Follow the Kb949377 to reset the permission
There is another Micrsoft Knowledge base article i.e Kb31322 that also used
to reset the permission in xp professional Only as it owuld not work on xp
home edition for that we can run subinacl Kb949377

icpop1

unread,
Jun 20, 2009, 7:47:28 PM6/20/09
to

Thanks for the clear and precise solution to my Windows Update error
messages!


--
icpop1
Posted via http://www.vistaheads.com

KHemmingsen

unread,
Jul 16, 2009, 3:20:05 PM7/16/09
to
I have done this process repeatedly to resolve the same problem, but I dont
get 9b/ and 9c/ as described. 9b/ is unchecked already and 9c/ does not
appear. When I follow through with remainder steps, and althought I change
permissions for 'Administrators' to 'allow' it seem to reset itself, and will
not allow me to change key. Do I need to be logged on as 'Administrator' even
if user has Administrator rights?

PA Bear [MS MVP]

unread,
Jul 16, 2009, 4:38:55 PM7/16/09
to
To avoid confusion, please begin a new thread about your specific problems.
State your IE version and full Windows version (e.g., WinXP SP3; Vista SP2)
in your first post.

Or see this earlier post in this same thread:
http://groups.google.com/group/microsoft.public.windowsupdate/msg/cfbb1d89ba84764e


--
~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Client - since 2002


KHemmingsen wrote:
> I have done this process repeatedly to resolve the same problem, but I
> dont
> get 9b/ and 9c/ as described. 9b/ is unchecked already and 9c/ does not
> appear. When I follow through with remainder steps, and althought I change
> permissions for 'Administrators' to 'allow' it seem to reset itself, and
> will not allow me to change key. Do I need to be logged on as
> 'Administrator' even if user has Administrator rights?

<snip hijacked thread>

BobCrabtree

unread,
Nov 1, 2009, 4:06:56 AM11/1/09
to

paulatkinson;4358632 Wrote:
> Check the ImagePath Value in the Registry key
> HKLM\SYSTEM\CurrentControlSet\Services\wuauserv and verify it is
> "%systemroot%\system32\svchost.exe -k netsvcs" and not a fake path like
> %fystemroot%\.. netsvcs

Paul,

That posting was REALLY useful to me - many thanks!

Dealing here with a PC that had been thoroughly mauled about by Sasser
Worm and a bunch of others and thought I'd finally sorted everything
until I went to do the Windows updates!

But you pinpointed the problem perfectly:

%fystemroot%\system32\svchost.exe -k netsvcs

instead of

%systemroot%\system32\svchost.exe -k netsvcs

And, of course, I needed to give myself permission to change things!

Again, many thanks.

Cheers

Bob Crabtree


--
BobCrabtree
------------------------------------------------------------------------
BobCrabtree's Profile: http://forums.techarena.in/members/96954.htm

mifisher01

unread,
May 31, 2010, 8:59:01 PM5/31/10
to
permissions were changed and so was systemroot changed to fsystemroot check
bits key as well

PA Bear [MS MVP]

unread,
Jun 1, 2010, 12:39:44 AM6/1/10
to
is your refrigerator running too?

MowGreen

unread,
Jun 1, 2010, 1:04:38 PM6/1/10
to

mifisher01 wrote:
> permissions were changed and so was systemroot changed to fsystemroot check
> bits key as well

systemroot changed to fsystemroot is a clear indication that the system
is infected. Your original post indicated an error that is *also* caused
by malware, Error Code: 0x8024D007.

You either need to contact Microsoft for NO CHARGE ( FREE ) assistance
in cleaning up the system or, you can reformat and reinstall it. Start
here: http://www.microsoft.com/protect/support/default.mspx

Under " Scanning, detecting, and removing threats " click the
' I think my computer is infected ' link.

If there was one that said " I know my computer is infected ", I'd tell
you to click that one. The next page will provide a link to the OneCare
Safety Scanner. Click it and see if it can detect and remove the malware
on the system.
If you have run the Safety Scanner, click the Continue button.
Confirm Your Country, click Continue.
Click the " type of support you want for Consumer Security "
The Phone and all of the other options are *free*.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

0 new messages