Windows Update Services missing

[MrAbz2k8]

I have been fixing my fiance's laptop, and while cleaning out Norton 360 and
installing McAfee (no AV flame wars please) it detected 44 viruses present,
so I removed them all, as anyone would.

Coming to the end of the clean-up I decide to fix the Windows Security
Alerts, notifying me that Automatic Updates are off, so I selected "Turn On"
and then said it couldn't do it, with a link allowing me to try manually -
with no luck still.

So I read up and follow 'roughly' some guides here and looking at
services.msc, "Automatic Updates" and "Event Log" is nowhere to be seen.

McAfee is not detecting anything, neither is SUPERAntiSpyware.

And to help you guys, I already prepared a HiJackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:19, on 08/08/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Xvodka_shotsx\Desktop\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program
Files\SiteAdvisor\6145\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program
files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} -
C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program
Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows
Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows
Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} -
C:\Users\Xvodka_shotsx\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader
5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4
Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1218213070386
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class)
- http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene -
{E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. -
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program
Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program
files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc.
- C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. -
C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program
Files\SiteAdvisor\6145\SAService.exe

--
End of file - 7289 bytes

 

[PA Bear [MS MVP]]

Re: Windows Update Services missing

1. We do not interpret HijackThis logs in public newsgroups. (See below.)

2. After a brief examination of the HJT log, I can tell you for a fact that
the McAfee application is not fully up-to-date either.

3. Did you also uninstall LiveUpdate and then download/run the Norton
Removal Tool? =>
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

=======================================

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

MrAbz2k8 wrote:
> I have been fixing my fiance's laptop, and while cleaning out Norton 360
> and
> installing McAfee (no AV flame wars please) it detected 44 viruses
> present,
> so I removed them all, as anyone would.
>
> Coming to the end of the clean-up I decide to fix the Windows Security
> Alerts, notifying me that Automatic Updates are off, so I selected "Turn
> On"
> and then said it couldn't do it, with a link allowing me to try manually -
> with no luck still.
>
> So I read up and follow 'roughly' some guides here and looking at
> services.msc, "Automatic Updates" and "Event Log" is nowhere to be seen.
>
> McAfee is not detecting anything, neither is SUPERAntiSpyware.
>
> And to help you guys, I already prepared a HiJackThis report:
>
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 18:57:19, on 08/08/2008
> Platform: Windows Vista SP1 (WinNT 6.00.1905)
> MSIE: Internet Explorer v7.00 (7.00.6001.18000)
> Boot mode: Normal
<snip>

 

[MrAbz2k8]

Re: Windows Update Services missing

1. Ah, no probs... I swear I saw someone asking for a HJT log file on here.
Apologies 'bout that.

2. McAfee is up-to-date now, thanks for the pointer!

3. Yes NRT did the whole removal process for N360.

After running "sfc /scannow" uncovered no errors. Microsoft Update App gives
the error code 0x80000424 while the web-page gives garbage about disabled AU,
BITS and Event Log services.

 

[PA Bear [MS MVP]]

Re: Windows Update Services missing

To keep track of things, it helps immensely if you include all of previous
message(s) in your replies to the newsgroup. Thank you.

Judging from similar posts here in the past month or so, the behavior may be
due to a Vundo-ZLOB-SDBot infection, all of which is protected by a rootkit.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a thorough check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

==========================================

Start a free Windows Update support incident request:
https://support.microsoft.com/oas/default.aspx?gprid=6527

Support for Windows Update:
http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated with
security updates.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


MrAbz2k8 wrote:
> 1. Ah, no probs... I swear I saw someone asking for a HJT log file on
> here.
> Apologies 'bout that.
>
> 2. McAfee is up-to-date now, thanks for the pointer!
>
> 3. Yes NRT did the whole removal process for N360.
>
> After running "sfc /scannow" uncovered no errors. Microsoft Update App
> gives
> the error code 0x80000424 while the web-page gives garbage about disabled
> AU, BITS and Event Log services.