# Solved: Could not restart Automatic Update service. Error Code 2



## aliengreen (Aug 29, 2005)

Restarting my Automatic Updates service gives me the following error message: *Could not start the Automatic Update service on Local Computer. Error 2: The system could not find the file specified*. I've been trying to fix this several times now with these online recommended steps, including:

1. Running my local AV program (avast!), both in Windows and during a boot time scan (Found an exploit virus and moved to chest)

2. Checking the ImagePath Value in the Registry key HKLM\SYSTEM\CurrentControlSet\Services\wuauserv (Verified it is "%systemroot%\system32\svchost.exe -k netsvcs" and not a fake path like %fystemroot%\.. netsvcs.)

3. Running sfc.ex /scannow (No prompts came up)

4. Running HijackThis and spotting this suspicious line --- *O23 - Service: UPHClean - Unknown owner - ?:\P?ogr?m Files\UPHClean\uphclean.exe (file missing)*. I've tried several times to delete this but it still comes back, and still shows up after running HJT several times.

5. Downloading MS Fixit 50202 in an attempt to reset Windows Update components, as recommended in a post http://forums.techguy.org/general-security/995717-solution-disabled-automatic-update-failure.html (Will not finish, giving this message, "Service 'Automatic Update' (WUAUSERV) failed to start. Verify that you have sufficient privileges to start system services." I'm the computer administrator.)​
It's No. 4 that's unnerving me a bit, since it keeps coming back even after I delete it in HJT. The file name is highly suspicious, having an unknown owner and some of the letters are substituted with punctuation.

As of today, I still can't get updates or restart the service. This thing has me worried like a cornered cat, and I'll really appreciate any help you guys could extend me.


----------



## Cookiegal (Aug 27, 2003)

What was the name of the file that Avast found (and the entire path to it) please?

For number three was that a typo as the command is incorrect.

No. 4 is not malcious. UPHClean is the MS User Profile Hive Cleanup Service that you probably installed when the computer was slow shutting down because of something not being released in the registry.

Please go * here* to download *HijackThis*.

To the right of the green arrow under *HijackThis downloads* click on the *Executable *button and download the *HijackThis.exe* file to your desktop.
Double-click the * HijackThis.exe* file on your desktop to launch the program. If you get a security warning asking if you want to run this software because the publisher couldn't be verified click on Run to allow it.
Click on the *Scan* button. The scan will not take long and when it's finished the resulting log will open automatically in Notepad.
Click on the *Save log* button and save the log file to your desktop. Copy and paste the contents of the log in your post.
*Please do not fix anything with HijackThis unless you are instructed to do so. Most of what appears in the log will be harmless and/or necessary.*


----------



## aliengreen (Aug 29, 2005)

Hi Cookiegal, thank you very much for replying to this issue. Here is the data you asked me to provide:

a. The path and file name(in bold letters) of the malware found by Avast
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\15\*88743cf-103567c2*

b. HJT log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:11:31 PM, on 8/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\astsrv.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox 4.0\firefox.exe
C:\Program Files\Mozilla Firefox 4.0\plugin-container.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox 4.0\plugin-container.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Freecorder - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre2.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre2.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [QuickGammaLoader] C:\Program Files\QuickGamma\QuickGammaLoader.exe
O4 - HKCU\..\Run: [HotSwap! Applet] "E:\MY DOCUMENTS\Downloads\32bit\HotSwap!.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1299755726671
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1312980916578
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AST Service (ASTCC) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: AST HighEnd Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: UPHClean - Unknown owner - ?:\P?ogr?m Files\UPHClean\uphclean.exe (file missing)
O24 - Desktop Component 0: (no name) - E:\MY DOCUMENTS\PHOTOGRAPHY\Photography Inspirations\John Wright\charlotte.jpg

--
End of file - 7764 bytes

Thank you for clearing up the UPHClean mystery for me, I thought I've gotten a stubborn, hard-to-pin malware on board. A relief, to say the least.


----------



## Cookiegal (Aug 27, 2003)

Please go to the link below and follow the instructions to clear the Java cache:

http://www.java.com/en/download/help/plugin_cache.xml

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## aliengreen (Aug 29, 2005)

Hi cookiegal, sorry for this late reply. Here is my MBAM log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7513

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2011 9:39:22
mbam-log-2011-08-20 (09-39-21).txt

Scan type: Quick scan
Objects scanned: 225563
Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nothing found, but I hope it's not one of those newer bugs that escape detection...


----------



## flavallee (May 12, 2002)

I suggest you get rid of *IObit Advanced SystemCare 4* before you wind up trashing your computer.

Stay away from cleaner/booster/optimizer/tuneup type programs, especially the ones that "fix" or "clean" the registry.

They do little-to-nothing to improve speed, and in some cases can reduce speed.

What they can do is damage the Windows operating system and prevent some of your programs from working.

---------------------------------------------------


----------



## Cookiegal (Aug 27, 2003)

I agree with what flavallee posted. :up:

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## aliengreen (Aug 29, 2005)

I think I'll take your suggestion and get rid of the application. This is the second time I've come across a very poor assessment of Iobit and its ilk of "optimizers," the first was reading an interview of an IT person in an online magazine (I forgot his name and who did the interview) saying the same thing you've said - it's going to do more harm to the system than good. Thanks.

PS There are already millions who've downloaded Iobit's ASC 4 free program; I hope they catch on as soon as possible.


----------



## aliengreen (Aug 29, 2005)

Cookiegal, here is the Event Viewer report, which are mainly 4 errors found under the "Application" heading (none under System).

Event Type:	Error
Event Source:	nlsX86cc
Event Category:	None
Event ID:	0
Date: 8/20/2011
Time: 3:48:43 PM
User: N/A
Computer:	
Description:
The description for Event ID ( 0 ) in Source ( nlsX86cc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Stop request seen, nlsX86cc error: 0.

Event Type:	Error
Event Source:	astcc
Event Category:	None
Event ID:	0
Date: 8/20/2011
Time: 3:48:42 PM
User: N/A
Computer:	
Description:
The description for Event ID ( 0 ) in Source ( astcc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Stop request seen, astcc error: 0.

Event Type:	Error
Event Source:	nlsX86cc
Event Category:	None
Event ID:	0
Date: 8/16/2011
Time: 2:59:59 PM
User: N/A
Computer:	
Description:
The description for Event ID ( 0 ) in Source ( nlsX86cc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Stop request seen, nlsX86cc error: 0.

Event Type:	Error
Event Source:	astcc
Event Category:	None
Event ID:	0
Date: 8/16/2011
Time: 2:59:57 PM
User: N/A
Computer:
Description:
The description for Event ID ( 0 ) in Source ( astcc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Stop request seen, astcc error: 0.


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## aliengreen (Aug 29, 2005)

Here it is. Your No.2 instruction is correct, right? - "If your Real protection or Antivirus interferes with OTS, allow it to run." I ran the scan while avast! was running silently in the background, hope it doesn't screw up the results.


----------



## Cookiegal (Aug 27, 2003)

Please go to *VirusTotal* and upload the following file for scanning.

Click *Browse*
Copy and paste the contents of the following code box into the text box next to *File name:* then click *Open* 

```
C:\WINDOWS\system32\quartz.dll
```

Click *Send File*
If confronted with two options, choose *Reanalyse file now*
Wait for the scan to finish and then copy and paste the URL from your browser address bar in your next reply please.

In the OTS log there are entries in the hosts file that look like this. Did you add these in intentionally? I'm not sure what purpose they would serve other than to block adobe.com.

127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com

127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com

Go to *Start *- *Run *- type in *services.msc* and click OK. Double-click on the *Automatic Updates* service to open it and let me know what it says for the Startup Type (Automatic, Manual or Disabled) and the Status (Stopped or Started)


----------



## aliengreen (Aug 29, 2005)

Here is the link to the virustotal scan result:

http://www.virustotal.com/file-scan/report.html?id=36518a0fcd1270f523c8f50ae1a694f4bd125df36395c132ccd3d4516e75fee9-1314020933

About the OST log, I haven't added anything intentionally to the host files, but I'll uninstall this program just to be safe.

About the Services info, Startup Type is set to Automatic; Status is Stopped (Clicking on the Start button beneath this produces the Error Code 2 message -- system cannot find the file specified)


----------



## Cookiegal (Aug 27, 2003)

I see you have threads started for this on at least two other sites, Geeks to Go and Bleeping Computer. Please do not post at multiple forums as that wastes valuable resources while we are all duplicating efforts.

The last recommendation at Bleeping Computer was to do a repair installation and you didn't reply back there so I'm recommending the same thing.


----------



## aliengreen (Aug 29, 2005)

Thank you for bearing with me.

Yes, I've posted to two other forums about this same problem, but with all due respect I'll have to disagree that this wastes efforts (after all, in my case at least, I too spent the time following each of everyone's recommendations). I may be mistaken here, but I believe this is the equivalent of a patient seeking a second opinion (albeit a free one) from a different doctor, because someone may just have a different experience diagnosing a particular problem. With the Geeks to Go site, I didn't get a reply for this Error Code 2, except from a kind fellow asking me to post it at the appropriate thread, where eventually I didn't get any response.

I realize everyone is volunteering their time, and for the tens of views in a thread, about 2 or 3 people will have a go at any one problem posted, and the ones who respond are usually the people loaded and backlogged with work. It's not my intention to add to the burdens of these sincere and dedicated folks such as yourself, and certainly it's not because I want to disparage or doubt any given advice. Nonetheless, I am sorry if posting to multiple sites is, to use the lingo of kids, "uncool".

Again, many thanks for your patience and instructions, they were helpful (we eliminated the virus theory), and I do apologize for any inconvenience I may have caused.

Sincerely,
Bam


----------



## Cookiegal (Aug 27, 2003)

It's just that you don't usually ask for a second opinion until you've gotten the first one. If the first one works then you don't need a second one. Plus we are generally trying the same things and if we knew it had already been tried then we would focus our efforts elsewhere. 

But I do think a repair installation is probably the best way to go as there appears to be some corruption.


----------



## aliengreen (Aug 29, 2005)

Agreed. I'm going with both your repair installation advice as this seems to be the common diagnosis. Again, I thank you for your patience and tips.

PS for the record (and what's it worth), you are my second opinion, after I received the first from the other site, and it's your diagnosis that finally convinced me  Have a good one.


----------

