Automatic update service removes itself after reboot

You are more than free not to take my advice.

Zanttux wrote:
> For past 6 years I have been fixing hardware/software and operating system
> issues on a daily basis as a profession, so I could consider my self a
> well
> above normal home user level.
>
> For past 3 years I have been doing a lot of virus/spyware/malware/rootkit
> etc cleaning and even F-secure (yes, the antivirus company) is glad to
> call
> to me certified expert on these matters. (2006-2008)
>
> So trust me, it aint virus/malware/spyware problem.
>
> Now if this would be normal virus/malware issue, I would have found
> solution
> to it allready. But it aint. Its simply malfunctioning service that wants
> to send stop signal to itself for some reason on every reboot.
>
> and since reregistering dll's fixes the service temporarily, it is very
> unlikely that those dll's would have been replaced with suspicious ones.
>
> Since reinstalling windows isnt possibility atm and Im 100% sure it aint
> virus problem, I must once again ask you to at least suggest some other
> means of fixing this.
>
> What I mean by this, could you suggest procedures howto make sure all AU's
> components are in right places, all registry keys exists etc etc.
>
> Now that would be 1000 times more helpfull for me then, well the pointless
> comments of consulting expert.
>
> Im sorry if I sound angry, but I have been working with this issue 3 days
> now and its starting get on my nervs.
>
>>> issue
>
> "PA Bear [MS MVP]" wrote:
>
>> HIjackThis is only one of many diagnostic tools we use to detect and
>> remove
>> such infections. What may appear to you as a completely clean HJT log
>> may
>> not appear the same way to an expert in such matters.
>>
>> You will need the assistance of such an expert who in all likelihood will
>> have you run some other diagnostic scans and utitilies and who will then
>> have to write a script to remove an untold number of files, folders, and
>> Registry entries.
>>
>> I can strongly recommend this forum: http://aumha.net/viewforum.php?f=30
>> --
>> ~PA Bear
>>
>>
>> Zanttux wrote:
>>> Ok, could you please at least suggest some other means of fixing this
>>> issue
>>> then blaming simply just malware/spyware. Hijackthis is tool that I use
>>> regularly and it reveals nothing that would explain this. Hell even the
>>> logs
>>> from scans before this problem started are same as scan logs after this
>>> problem. Absolutely nothing has changed.
>>>
>>> "PA Bear [MS MVP]" wrote:
>>>
>>>> No current Removal Tool will identify and remove all of the most-recent
>>>> Vundo variants (new ones are surfacing every day), which are usually
>>>> accompanied by ZLOB and SDBot variant(s), all protected by a rootkit.
>>>> You
>>>> need assistance from another, more-experienced expert on such matters.
>>>>
>>>> When all else fails, HijackThis v2.0.2
>>>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to
>>>> use.
>>>> It will help you to both identify and remove any hijackware/spyware
>>>> with
>>>> assistance from an expert. **Post your log to
>>>> http://aumha.net/viewforum.php?f=30,
>>>> http://forums.spybot.info/forumdisplay.php?f=22,
>>>> http://castlecops.com/forum67.html, or other appropriate forums for
>>>> review
>>>> by an expert in such matters, not here.**
>>>> --
>>>> ~Robear Dyer (PA Bear)
>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>> AumHa VSOP & Admin http://aumha.net
>>>> DTS-L http://dts-l.net/
>>>>
>>>>
>>>>
>>>> Zanttux wrote:
>>>>> Virtumonde (alias vundo) was my first thought too, but it aint the
>>>>> case.
>>>>> VirtumundoBegone, VundoFix or f-secures specific virtumonde removal
>>>>> tool
>>>>> can
>>>>> not find any trace of it, and this machine has been protected all
>>>>> times
>>>>> by
>>>>> good hardware firewall + F-Secure client securtiy 7.11 (latest) + all
>>>>> av
>>>>> scans have been clean.
>>>>>
>>>>> -Zanttux (certified F-secure expert 2006-2008)
>>>>>
>>>>> "TaurArian" wrote:
>>>>>
>>>>>> System may be infected with malware "Vundo"
>>>>>> http://www.microsoft.com/security/po...=Win32%2fVundo
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> TaurArian [MVP] 2005-2008 - Update Services
>>>>>> http://taurarian.mvps.org
>>>>>> ======================================
>>>>>> How to ask a question: http://support.microsoft.com/kb/555375
>>>>>> Computer Maintenance: Acronis / Diskeeper / Paragon / Raxco
>>>>>>
>>>>>>
>>>>>> "Zanttux" <Zanttux@discussions.microsoft.com> wrote in message
>>>>>> newsA626093-B4FC-4693-B2DA-F845C9ACE893@microsoft.com...
>>>>>>> Issue is that after every reboot automatic updates service stops and
>>>>>>> removes itself (from registry and from services).
>>>>>>>
>>>>>>> This started appearing on xp pro machine with sp2. Updatng to sp3
>>>>>>> didn't
>>>>>>> help.
>>>>>>>
>>>>>>> windowsupdate log doesnt help either because all it says is that
>>>>>>> service
>>>>>>> started OK and stopped with OK code (no specified reason for
>>>>>>> stopping
>>>>>>> the
>>>>>>> service is given). Event log doesnt either show any problems, it
>>>>>>> only
>>>>>>> has
>>>>>>> events from starting the service ok and stopping it ok.
>>>>>>>
>>>>>>> This sounds like virus/malware/spyware problem, but all the scans
>>>>>>> come
>>>>>>> out
>>>>>>> clean (f-secure client security (installed), kaspersky (online),
>>>>>>> Panda
>>>>>>> (online), McAfee, ad-aware, trend micro etc.)
>>>>>>>
>>>>>>> I have tried all the fix's I have found from web (including
>>>>>>> reregistering
>>>>>>> required dll's, reinstalling from au.inf etc.) and all these do fix
>>>>>>> the
>>>>>>> issue temporarily, but after reboot the service starts, stays on for
>>>>>>> less
>>>>>>> then a minute and then disappears, yet no delete flag can found from
>>>>>>> registry before it goes.
>>>>>>>
>>>>>>> for example reregistering wuaueng.dll brings back all registry keys
>>>>>>> and
>>>>>>> Im
>>>>>>> able to start the service without problems and get the updates from
>>>>>>> windows update or by automatics update. And it works fine until
>>>>>>> reboot.
>>>>>>> No suspicious software can be found from startup that could do this
>>>>>>> (I
>>>>>>> have triple checked everything).
>>>>>>>
>>>>>>> So any good ideas.... This is really getting annoying problem.
>>>>>>>
>>>>>>> Thanks for advance.
>>>>>>>
>>>>>>> - zanttux

Zanttux wrote:

> I never said it would be bug in windows and it wasnt. But thank you for
> your answer, it lead me to right direction and issue is now solved. It was
> combination of corrupted dll (not infected by virus or malware but most
> likely corrupted during latest hardware issues, thorough file comparison
> against working similar setup revealed this).

You're welcome. Note that it might have helped lead us in the right direction
if you'd mentioned that you'd been having hardware problems recently.

Harry.