Results 1 to 3 of 3

Thread: Cannot run windows update - caused by virus

  1. 2009-05-11, 01:02 #1
    xwing
    xwing is offline
    Junior Member
    Join Date
    May 2009
    Posts
    2

    Default Cannot run windows update - caused by virus

    When trying to update my computer (Windows XP, SP2) with Windows Update, I receive the "[Error number: 0x80070002] The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. " error.

    I believe this was a result of a virus I contracted last weekend. The virus brought many hitchhikers with it (Win32/Blarul, Win32/Koebface.gen!D, Win32/NewDotNet, W32.IRCBot, Trojan.Win32.Agent2.iwh, Backdoor.Win32.Agen.tzl, and more...) I believe I was finally able to remove the virus from my computer using several scanners, including Windows Live OneCare, Symantec 9 (which I already had on my computer when it was infected), AdAware, Malwarebytes Anti-Malware, Windows Malicious Software Removal Tool, SuperAntiSpyware, and several other one-off fixes. Now with several scans (both in "safe" mode and in Normal mode), I cannot find any trace of a virus. However, significant damage to my registry (and possibly files) remains.

    I have already fixed several registry problems by comparing with a "known good" computer that had the same OS and hotfixes. I found that I could not open regedit (w/o renaming it) or many other programs b/c one of the viruses had added the "Debugger = ntsd -d" key to a large number of .exe files. I also found several virus-related entries in my "Run" section of the registry and removed them.

    Right now, the only problem I still have is that I cannot run WindowsUpdate. When I try to start Automatic Updates service manually, I receive “Error 2: The system cannot find the file specified.” My associated system log entries are ” DCOM got error "The system cannot find the file specified. " attempting to start the service wuauserv with arguments "" in order to run the server:
    {E60687F7-01A1-40AA-86AC-DB1CBF673334}” and “The Automatic Updates service failed to start due to the following error:
    The system cannot find the file specified.”

    I have searched several forums and microsoft support, and tried all the fixes that were previously suggested.
    1. Confirmed that my hardware profile is enabled (http://support.microsoft.com/kb/241584)
    2. Ran Symantec's "FixVundo.exe"
    3. Ran "WUFix.bat"
    4. Checked "Group Policy" to confirm that Automatic Updates are not disable or restricted via policy. (http://support.microsoft.com/kb/896224)
    5. Renamed all associated files in system32 (http://support.microsoft.com/kb/931852)
    6. Deleted software distribution directory (http://support.microsoft.com/kb/919749 and http://support.microsoft.com/kb/956698)
    7. Set auto configuration (http://support.microsoft.com/kb/958043)
    8. IE Browser changes (http://support.microsoft.com/kb/900936)
    9. Re-register dll files (http://support.microsoft.com/kb/910359)
    10. Clear BITS queue (http://support.microsoft.com/kb/958047)
    11. Rename and re-register files (http://support.microsoft.com/kb/910359) [DLLRegisterServer in wuaueng.dll failed. Return code was: 0x80070005] all others succeeded.
    12: Parameters and DNS (http://support.microsoft.com/kb/920151)
    13. Symantec Symantec UnHookExec.inf

    I would really appreciate any help in determining if I still have a virus, and determining what is causing my problem. I have run Hijackthis, and can post the log upon demand.
  2. 2009-05-11, 02:06 #2
    xwing
    xwing is offline
    Junior Member
    Join Date
    May 2009
    Posts
    2

    Default Solution found to windowsupdate

    I know I'm not supposed to reply to my own thread, but I have an important update, and I evidently don't have permissoin to simply edit my original post.

    I found the problem, thanks to another post on this forum (http://forums.spybot.info/showthread...306#post311306)

    In my registry, the virus had replaced "%systemroot%" with "%fystemroot%"
    in several spots, so the correct files could not be found. I did a search
    for "fystemroot" in regedit, and replaced with "systemroot". (I did have to
    click "Edit" / "Permissions" and allow full control in each of the folders
    first. Evidently the virus disabled the permissions first.)

    I would still like assistance in analyzing my Hijackthis log to confirm that I do not still have any other remnants of the virus. But I felt it was important to post this reply, so anyone who could help me wouldn't waste time looking into the issue I already solved. If this reply is inappropriate, please delete it or take any other corrective action. Thank you.
  3. 2009-05-11, 03:49 #3
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Hello xwing,

    Please see this forum's stickied FAQ: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    The start a new topic providing the HJT log and a link back to this thread.

    Quote Originally Posted by xwing View Post
    and I evidently don't have permissoin to simply edit my original post.
    Can I edit my own posts?
    1. In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
    2. In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.


    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules