Posts by gerbil

One more to fix:
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe (file missing)

System32 is larrrgge.. no-one will take the time to visually vet those files for you. If you are concerned about some [it is full of weird filenames, until you know what the file does...] I will give you a good online scan which has a whitelist.
Oh, please post that MBAM log.
Meantime, you have picked up a fresh infection, and some of the previous are still there. Let's try to deal with them...
==Disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Download fixwareout from http://downloads.subratam.org/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Only if your Internet connection is now not working perform this.... In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties …

:)
..the utility of search engines....

Try what caper suggested... it will replace the files covered by Windows file protection system. If others are still missing a Windows Repair will do the job [you won't lose your settings, files, data, but some apps may need to be reinstalled...]

This might help:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKLM\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKLM\..\Run: [\YURC9.exe] …

Windows Error Reporting... like do you want to send this error report to M$?.. and that is the file that will be sent. You can turn error reporting off, you know.... but the msg is just the symptom of a problem you have with your software or the machine...

If you did not already clear your Avast quarantine bin they would be in there. Start Avast, go Tools, Virus Chest, and check the infected tab. Note that in the System tab some files may be in there simply because Avast has detected a change.... and that change may be because of an update or similar.
List the files and get copies froma cd or another sys.

Can YOU find all your jpg etc files? With explorer? Then your file system is okay. When you click on a drive the first thing Explorer does is actually got to the hd and physically read that partition's file table [watch the drive activity lamp; it reads the first level of directories and files, and so on in as you click deeper directories... these are physical reads], nothing to do with registry at all. All the registry knows, or thinks it knows, is your drive letters. So if Picasa is lost then try blaming Picasa. Reinstall it. Picasa may use a sort of MRU entry in registry to hold a list of accessed or known files, I do not know. Just remember that it is a google product.

I do not know what this driver file, ac7eeycg.sys, is.
I could guess that what you are seeing in the dual boot is an interrupted installion of Windows, and that Setup has for some reason left its automatic reboot in boot.ini [you know the one... where Setup informs you that your sys will restart and continue Setup, it does and then you get the msg Press any key to boot from CD..., which of course you don't want it to do, you want it to boot from the hd so you wait... and it does. So something interrupted Setup soon after and your boot.ini is messed up, and so is your XP installation.
So put your XP installation cd in the drive, select XP Setup when the choice appears, and if that fails...
Start over.
[quick format just deletes your file tables, a full format does that plus a sort of chkdsk, no files are actually overwritten...]

Mmm... if you have the sticker with the serial number... it will identify the type of Windows you should install... Home or Pro, OEM or not [ie retail], so call all your mates, neighbours etc and beg to borrow that same type of disk [go for an SP2 at least]. Get em to burn you a copy.

That is a clean log, mickey. Here is a good"eye" to run over your sys: First clean it...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

If when installing Windows you choose to format during setup then the virus files will be lost [not deleted, just lost]. A quick format will do the job. A Windows Repair will NOT rid your machine of the pest.
May i suggest doing an online Virus scan and then installing an antivirus resident service?
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

A sequence for you:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Paul.. this is probably not going to be of much help, but what you are seeing is the ACTUAL email as received by your computer. If I go to my dbx folders in OE and choose one, drag it into a notepad I will see exactly the sort of thing that you are showing in your post. [This stuff:
"JVBERi0xLjMNJf////8NMSAwIG9iag08PA0vVGl0bGUgKP7/AGMAXwBfAGgAYwBfAHcAbwByAGsA
ZgBpAGwAZQBfAHIAbwBvAHQAXwByAG8AbwB0AF8AMQBfAFQAZQByAF8AMwAxAC4AcgB0AGYpDS9Q
cm9kdWNlciAoQW15dW5pIERvY3...." is actually a picture, or part of, anyway.]
Now the difference between my OE and yours is that mine is interpreting the MIME code, and whilst I am happy with that, you may not be.. :)
Try this...
-Open an Explorer window, search for msoe50.inf -the default location for this file is in the C:\Windows\Inf folder [show hidden files and folders].
-Right click the Msoe50.inf file, and then click Install.
-Insert your Windows XP SP2 CD-ROM when prompted and on it locate the I386 folder, click Open, and then click OK.
The Outlook Express files are installed.

Dafat... this is probably not malware related [your log shows as clean, by the way], more an error in the way explorer limks to the various files and folders. What happens when you paste this into the Run box:
C:\DOCUME~1\Dafatman\LOCALS~1\Temp
-normal behaviour is for an explorer window to open to that folder. If it does, rename that file, e75_appcompat.txt to e75_appcompat.txt.bak

There is a very good chance that you will be able to start your machine in Safe Mode with Networking. If so, get these two downloads and run them in this order. I you can get to safe mode but not network, then feed the pgms in via a thumbdrive, or some such.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Pull out the media. Generally works.

"A few days" ... like 30 or more? So windows has locked you out. Curse Bill Gates for being so suspicious, then do the Repair as in Bob's post. That will reset the clock.. then do what the lil popup beseeches, and go online to activate. Heck, all you have to do is click the popup. And if you've had Windows [a valid copy] for more than a year validation will be granted no matter what hardware you change. Even M$ understands that technology progresses... well, other ppl's tech, anyway.
If you don't actually have an installation cd, borrow a like one... eg if you had XP Home SP2, get one of those cd's.

Remove the card, return it to the shop. You obviously didn't get the chance to install any? drivers...
Meanwhile try Last Known Good Config. If that won't work then you need a recovery [boot] cd of some type. Got a windows installation cd? You may need to run a Repair [via Setup].

Something is slapping explorer.exe [your GUI] silly... see what this turns up, for a start:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
And then, so we are not totally blind:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Where was that java.exe? Can you give its pathname, please?

Wildbull, jump back up to post #5 and do that procedure - combofix. Those are malware items.
Rundll32.exe is a valid pgm which is called to run various apps from a library of them, a .dll file.

I don't have AGP on my mb, so can't research that problem much further.... I don't know what the next driver being loaded would be.
Try Last Known Good to get back to a workable loading set. Run chkdsk.
Anyone else got ideas?

Heya, ya rogue....
Where CCleaner refers to cleaning logs it really means files of the type .log such as an installer or scanner might make to detail its progress and results of its operations - you only need to keep those if you wish to research why a pgm installation stuck repeatedly. Logs from the tools we run are generally filed as type .txt, and CCleaner will not touch those by default.
Panda is a reputable company with good scanners; they will only use your email to verify that you are not an organisation or scammer feeding off their goodwill, and to send you promotional stuff, but only if you indicate that you would be willing to receive such stuff.
Be brave.... I would not recommend them if I did not trust them.
Right, the latest MBAM log: I see you picked up another pest, but a benign one.
The Panda log... if you glance at it you will see why I asked you to run CCleaner first.... all those cookies. If you visited porn sites the world would now know it...
About 1/4 of the way down we come to the meat. And you are loaded.
A bit of preaching re cracks and keygens... we all know they are out there, but if you wish to use them you really must take the time to find out the groups who make CLEAN ones. Some do, it is their bit of sport, and …

wwkctbca.dll - if you typed that correctly then it is unknow, most likely a random malware naming. I'll shoot for a vundo variant. So when you get it running:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
The agpCPQ.sys error... is your XP on a FAT32 partition?

I find Teatimer an interesting concept, Judy. If we can turn it off via a menu selection then surely any bit of script can do it also? Hijackthis and others of that ilk should be able to overcome it.. imo. Time was when it could not.... I may give it a test run.

Yep, the default settings in the CCleaner tab are useful and safe, there is no need at this point to clean your registry. I just don't wish to see hundreds of your cookies as found by the Pandascan.

Ah, no.. I did not intend for you to delete your actual hosts file, I just noted that in a log you had put a note mentioning that I had requested you to delete the list of hosts file entries - it was a VERY long list, a blacklist. Your hosts file is one created by an anit-spyware app, and is okay - what it does is reflect any attempt to contact any of those sites back into your machine ie to 127.0.0.1
I use Spywareblaster which employs a different method - it creates its blacklists in registry.
PS.. I edited my last post on page 1.

I am not upset at all, rogue, not even exasperated, stuff just goes along, and we get there. That lil reg file I got you to run was to show me the contents of the key that MBAM was dealing with, and it coming up empty was just what I wanted to hear. tdss employs a rootkit, but once you know they are there they are easy to deal with; MBAM looks for it as part of its blacklist of files, finds it and then can delete it [on reboot... :)]. Unless they have unknown supporting files which can recreate the deleted files they are gone.
And thanks, judy, for popping in..... one of the problems with folks running scans themselves [not being pompous here, they are quite at liberty to do so] is that you tend to assume that they just dld it, fully updated it etc. I didn't know the current MBAM version or update number, not having requested its use for a couple of months or more.. .
Anyway, I did not really believe that tdss had reoccurred, and I did not have the log from the second run to check, so... thanks.
Slow dl of some webpages.... that can depend upon a few things, like your ISP's load, that of the net in general [it is getting clogged by folks swapping files, mainly stupid OffYouFace videos, and how busy the servers holding that page are. Try pinging a few sites that you know …

When you attempt to load Safe Mode what is the last driver displayed?

First MBAM log:
08:34:39 PM 9/1/2008
mbam-log-9-1-2008 (20-34-39).txt - this is its filename.

Second MBAM log:
08:34:39 PM 9/1/2008 -same time of scan!
mbam-log-9-1-2008 (20-34-39).txt -same filename!!!

Anyway, what happened to the rest of my guide in Post#2?
I asked you to delete that hosts file because it was a protection hosts file to prevent those sites loading.
Running Ashampoo, Superantispyware, Adaware plus Spybot's teatimer concurrently could slow things a little. I am not up to date with Symantec... does that include a "site guard" which checks websites against a blacklist?

Nothing else shows as bad in that log, but you could use Hijackthis to remove these [benign] RunOnce keys.... the sys should have removed them at reboot.

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

And if you still have problems... clean, then scan:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.

Just wish to check what we are dealing with here. By the way, those two MBAM logs look identical [time of scan]?
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"  /s >>C:\showkey.txt
start C:\showkey.txt
pause

Randal, nice to see you used my link to get the latest version of Hijackthis....
I added to your other thread... it is re SurfSideKick, and may I suggest you follow that guide and employ Combofix?

One more thing... I missed some adware. Because of the way it loads it is tricky to remove manually, so use this tool:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

A CCleaner guide...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
[Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the …

Sorta agree with caper, there. You have 110GB of stuff on C:... urrrghh... shiver....
If you use a partitioning tool you could add the rest of your hdd [58GB or so] to C: and increase the risk. Get a new hdd, copy off or delete some stuff...[110GB... wow....]. Put the vital stuff in a partition away from XP....
I mean, if I had 110GB on a partition I would not be interfering with it with ANYONE'S partition tool.

Are you fully up-to-date with your sys?
AFD.SYS was the subject of KB951748 in Aug 2008. It is part of the TCPIP stack, a winsock driver involved in networking.
Current version is 5.1.2600.3394 (xpsp_sp2_qfe.080620-1259).

You know, Randal, you can just delete the xp installations that you are not using/do not use. Delete the C:/Windows folder entirely, keep any documents etc until you sort through them, and clean up your boot.ini file to remove any mention of it. Go Start, run, paste in:
control sysdm.cpl,,3
-press Startup n Recovery Settings, press Edit. Modify [carefully!!] and save.
Of course, repartitioning, formatting and reinstalling is up to you. Best of luck.

Mmm... nothing malicious in that lot; if you fix these entries it will clean up a few loose ends and a couple of questionable ones...
Start hijackthis, press Open the Misc Tools Section, press Delete an NT Service, paste or type in...
Boonty Games -and press OK.
Now press the Back button, and press Scan. Place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...ogin-devel.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

Delete this file:
C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

Programs you cannot uninstall - sometimes if you reinstall a program over the top of itself it recreates the uninstaller correctly, and you can then go ahead and uninstall properly. And you can always brute-force uninstall stuff by just deleting all the components you can find and then perhaps running a registry cleaner.
There is a simple and free registry cleaner in CCleaner, which is anyway a very good temp file cleaner.
The "verifying dmi pool data NO ACTIVE PARTITION" error msg... I am not sure how you got past that one. Do you have two XP partitions on …

Thank you... but I can maybe help if you just post that log...?

Orright! We both learned stuff, there. Now I can put my fishing rod away for a bit.
Seems that it is the presence of the key itself and not just its data names or values that triggers the restart nag.

If you go to CP, and remove "Microsoft .NET Framework 3.0" that should remove your .net 3.0 components... if that is what they are.
And if that is not possible, there is this tool:
http://www.microsoft.com/downloads/details.aspx?familyid=AAE7FC63-D405-4E13-909F-E85AA9E66146&displaylang=en

Randal.. these are the instructions for the hijackthis scan that we prefer to commence with:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Er... right. Glad you are sorted re the MBR, anyway.

I aint finished yet! When you visit the Windows Update site it uses an ActiveX to detect this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired].
Try deleting the RebootRequired key itself.
I just did and it seems to work. Without a reboot I could not use the update site to check for more updates... I deleted that RebootRequired key and it allowed me in without a restart. I took another dl and it regenerated that key.

I do not have your problem... so if I did a restart to get the new registry values read it would just automatically negate the restart prompt situation for me! So I killed explorer and restarted it, which forces a registry reread. No yellow security icon yet.

Yeah.. it is a shame - I tested it on an update which I had previously refused as not wanted... and it is prompting me to restart. So... the drawing board revisited.... Here is another key that lists dwords for updates for which a reboot is required:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired]
-export that key, then delete the dwords, not just set their value to zero.
I'm testing it now...

:)
Nice.

In the latest version that button is Restore M$ Hosts File.

Bob, this M$ knowledge article may sort it for you: http://support.microsoft.com/default.aspx?kbid=832475
Run your eye down the article until you come to the 3 flag settings. Try putting the Flag = 0 into your key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile
Actually you may have another UpdateExeVolatile key there with a long hex number appended. Okay, so play safe and export the key, then set both flags to zero.
Say how it goes.