Re: Automatic Update: Access is Denied

The appropriate keys on my machine were:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

There should be no ControlSet subkeys numbered higher than 3. The ControlSet004 was created by the malware[s].

The *only* subkey that needs editing is CurrentControlSet.

The other subkeys, ControlSet001 -ControlSet003, are pointed to by
CurrentControlSet.
Although the KB below is for Windows NT, the only difference is that there is no Clone subkey.

What are Control Sets? What is CurrentControlSet?
http://support.microsoft.com/kb/100010

The most valuable and reliable control set is CurrentControlSet. If you need to modify system settings in the Registry, CurrentControlSet is the best subkey to choose because you know that it is the correct control set. You also know that if your modifications harm your system configuration, you will still be able to boot using the last known good control set.

EX: [HKEY_LOCAL_MACHINE\SYSTEM\Select]
"Current"=dword:00000001
"Default"=dword:00000001
"Failed"=dword:00000000
"LastKnownGood"=dword:00000003

If the system fails to boot, upon the restart the boot menu will appear.
The same boot menu shows up when one presses F8 prior to Windows loading in order to reach Safe Mode.
Choosing the LastKnownGood configuration on the boot menu will load the last successfully loaded ControlSet, which in this case is ControlSet003.

But boot back into windows normal mode and all the permissions are
changed back and the ImagePath values are corrupted again.

Cleaning a system *first* will preclude having to reset perms and imagepath values more than once however, some of the tools needed to remove most current malwares can be deleterious to the system.
Which is precisely why disabling System Restore should be done as a *last* step. It will add time to the scans but ... it's best to have a rat infested [malware] lifeboat rather than none at all.

Emptying all temp and temporary internet files *will* cut down on the scan times without risking a non-boot situation.

Otherwise ... nice writeups LightCC and BayAreaDave.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============



LightCC wrote:

After two days and probably 12 hours of working on my final bit of virus
removal for a friend's PC this post helped me take the last few steps to
reenable Windows Update.

Therefore, I'm posting all the major steps I took along with the final
procedure in order to help others out.

This PC had a bad virus situation. It was sending out 50k-60k emails a
day, had software that was disabling security like antivirus programs,
and I couldn't run process explorer or hijackthis on it at first.

Before I got it, the outdated McAffee was run on it and found a bunch
of things. An old version of Spybot was on I had installed. So I
started by getting the latest Spybot S&D which found about 4 malicious
threats. 2 of those came back after cleaning, however.

A web search led me to download Malwarebyte's Anti-malware program,
which was able to remove those 2 viruses and found a few more and
cleaned them. The final problem was that Windows Update was disabled...
thus started a journey of a 1000 steps... or 1000 DOS commands, or
something like that...

So here's the rest of the story on how I got Windows update back up. It appears to be the same virus others in this thread posted about, but
I had to do a few extra things to get it running, here's the info.

The first part and a few others, are cut and paste from elsewhere with
useful information:

-----------------

Here is perhaps the most definitive (and long-running) conversation
about
that error:
http://groups.google.com/group/micro...4667c09cb402c0
=================
Start a free Windows Update support incident request:
https://support.microsoft.com/oas/de...spx?gprid=6527

Support for Windows Update:
http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling
1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated
with
security updates.

For more information about how to contact your local Microsoft
subsidiary
for security update support issues, visit the International Support
Web
site: http://support.microsoft.com/common/international.aspx

For enterprise customers, support for security updates is available
through
your usual support contacts.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin; DTS-L.netw



---------------

Finding the permissions problem:

Tried to run dos (cmd) and register all the dlls as per a posting. One
failed:


net stop wuauserv
net stop bits


(neither was started)


regsvr32 wuaueng.dll


Message pops up: DllRegistServer in wuaueng.dll failed. Return code
was: 0x80070005

According to many web posts this is a permissions problem.

--------------

Next tried doing a manual reinstall of Windows Update, as follows:

You can install the WindowsUpdageAgent which is available for download
from
http://go.microsoft.com/fwlink/?LinkId=43264 and run the following
command; *********************************************** WindowsUpdateAgent30-x86.exe /wuforce ***********************************************

I just renamed it to WUA30.exe and ran

WUA30.exe /wuforce

to force the install. The install failed with following error number:
0x8024d007

-----------

At some point around here I tried using the SubInACL tool (see
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx) to reset
the permissions. This failed to change the affected registry keys for
wuausrv (I wasn't aware of the problem with BITS at this point)

Maybe this would have worked if I had run it in safe mode, but I wasn't
aware of the virus changes to the paths at this point either...

----------------------------

Posted fix in safe mode as Administrator by someone else:

Hello Everyone,

After 3 days of seaching and comparing registries with 3 computers I
found
the Fix

Error code 0x80070005 Can not enable Automatic Updates

First Run Malwarbytes and your antivirus program to remove scum
viruses.

After Viruses are removed.

Log in to Safe Mode with Administrator Privilages

Click Start >
Run >
Type "regedit" (with out " ")

On the menu bar choose edit > Find > on the text box type "wuauserv"
(with
out " "). Remove the check marks named values and Data (only Keys
should
remain checked. > click on Find Next

Go through all the keys one at a time and first check its permissions
by
right clicking on the key > Permissions > enable FULL CONTROL > CLICK
APPLY

NOW ON THE IMAGEPATH CHANGE %fystemroot%\System32\svchost.exe -k
netsvcs
to read correctly at "%SystemRoot%\System32\svchost.exe -k netsvcs
(only
the S is changed to f). (You do this by right clicking the imagepath on
the
right hand side pane and select modify)

HIT the F3 button to Find the next wuauserv key and do the same steps.

check permissions on each key and change if necessary (remember you
must be
in SAFE MODE ADMINISTRATOR).

Now do the same steps for the BITS key

Check its permissions and set to Full control if necessary.

Finally, close Registry Editor.

Start > Run > services.msc

find Automatic Udates > Right click > Properties
under START UP TYPE > change to AUTOMATIC

Do the same for Bits if necessary.

And Walla Automatic Updates if back.


----------------

Some notes, clarification and my final process to fix things on my PC:


It does not have to be the official "Administrator" account as long
as the user you log into in safe mode has Administrator access.

When you do 'find' in regedit is when he means to uncheck the 'values'
and 'data' box. I thought he meant during editing after you get to
the
keys... but these should be the keys that need to be changes. There
may
be additional ones so if it doesn't work try a full search and check
the permissions on every key it finds

The appropriate keys on my machine were:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Searching for bits and wuauserv found other entries and keys
that were not affected

In these keys the permissions had been changed to only administrator
with only read permission. To get the full list back I did the
following:

- Right click on wuauserv key, choose permissions
- See only administrators in the list.
- Click "Advanced" at the bottom
- Checkbox "Inherit from parent the permission entries that apply to
child
objects. Include these with entries explicitly defined here"
- Click OK
- Click OK

- In the right pane double-click the "ImagePath" key to edit it
- Change the "%fystemroot%" at the beginning of the path to
"%systemroot%"
(the virus had purposely edited it to be misspelled)
- After doing this on ControlSet001 and COntrolSet004 the changes
already
showed up in CurrentControlSet when I got there

In services.msc,
Automatic Updates was set to Automatic startup type
Background Intelligent Transfer service was set to Manual startup type

No need to change either of those

But boot back into windows normal mode and all the permissions are
changed back and the ImagePath values are corrupted again.

So, I go through the virusscan mode again, this time trying the full-on
normal-mode, turnoff system restore, and then rescan in safe mode
method.

1. TURN OFF SYSTEM RESTORE
2. Full scan with Malware - clean
3. Full scan with spybot - clean

4. Reboot into safe mode on an adminstrator-enabled account

5. normal scan with Malware - clean
6. Full scan with McAfee - subscription ran out about 3/2009, 3 months
ago

- found 2 files, I think from heuristic search, one auto-cleaned, I
quarantined the other

7. Now, go back and redo the permissions and path updates on the 6
registry keys
8. This time, however, I opened a dos prompt in safe mode and ran the
regsvr32 wuaueng.dll
- SUCCESS!!

9. I rebooted into normal mode windows and Windows Update was
running.
10. Checked the bad registry keys and they were all still in the
correct new state

So, I'm not sure if it was the 2 files mcaffee found, disabling the
system restore, or running the regsvr32 command while still in safe mode, but I'm now
up and running.

Just wanted to share the procedure!


.

Loading