Ressourcen für IT-Professionals >
Forenhomepage
>
Forefront Client Security Malware Technology and Response
>
Removed VUNDO worm. Now Automatics Updates service will not start
Removed VUNDO worm. Now Automatics Updates service will not start
- Automatic Updates service and BITS service will not start. Get a message from both:
Could not start (either above) server on local computer. Error 2: The system cannot find the file specified.
These began after cleaning out the VUNDO worm. These services are not running. How do I repair them to run?
Antworten
- you may want to look at running SFC /SCANNOW to check to make sure that all your files are intact for core windows files. Could be the files were too corrupted to clean or something.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde- Als Antwort markiertchogye Donnerstag, 5. März 2009 20:23
- Well for WUA you might want to try installing the client over again.. get the right one at http://support.microsoft.com/kb/949104 and also try running the installer with the /wuforce command line option..
For BITS I'm not sure. I would check the %SystemRoot%\System32\qmgr.dll file to make sure it exists.. may want to make a copy of it from a similar OS/system you have and copying it into the system.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde- Als Antwort markiertchogye Freitag, 6. März 2009 14:08
Alle Antworten
- you may want to look at running SFC /SCANNOW to check to make sure that all your files are intact for core windows files. Could be the files were too corrupted to clean or something.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde- Als Antwort markiertchogye Donnerstag, 5. März 2009 20:23
- I ran SFC /SCANNOW at the command prompt. After about 2 minutes it completed. I still cannot get either service to start.
- Well for WUA you might want to try installing the client over again.. get the right one at http://support.microsoft.com/kb/949104 and also try running the installer with the /wuforce command line option..
For BITS I'm not sure. I would check the %SystemRoot%\System32\qmgr.dll file to make sure it exists.. may want to make a copy of it from a similar OS/system you have and copying it into the system.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde- Als Antwort markiertchogye Freitag, 6. März 2009 14:08
- I reinstalled WUA success fully. BITS has this path to executable:
%fsystemRoot%\system32\svchostexe -k netsvcs
Looks like the trojan corrupted the BITS path. How do I delete this path? I cannot in the Services window. Can I deleted BITS completely from Services and re-install?
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS is the reg location for the BITS service.. I would compare what is there to whats on a good machine
ImagePath should be %SystemRoot%\System32\svchost.exe -k netsvcs
Under Parameters subkey the ServiceDll should be %SystemRoot%\System32\qmgr.dll (this is the actual BIT's file svchost.exe is just a shared container process for multiple services to utilize less resources on the system)
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
