next »

[Alan-LB]

I am running Windows XP Pro SP3 on a MacBook Pro.   Everything has been very good until yesterday when I got a Trojan - JS:Packed-A[trj] according to Avast!

The trojan has been cleared out and a full scan with fully updated Avast, Ad-Aware and SpyBot show the system is now clean.   I have also run CCleaner.  I have also gone to an earlier Restore point.

However, when I try to do a Windows update I get the following attached message.

I have followed all the instructions - I can not set Windows Update to Automatic - it just reverts to Disabled.  If I try to set it to Manual - I get the message "Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it".

Everything else works OK so what devices need to be enabled.   Microsoft help on this topic is non-existent (as far as I can see)

Any help would be much appreciated - TIA

Alan

BTW - I have another computer on the same network which works OK.

And another thing!!  Whenever I try the Windows Update link from Tools > Windows Update I get an advertising Popup.   This doesn't seem to occur at any other time!!




[attachment deleted by admin]

[neonwizard]

It could be that you are still infected with something "Vundo etc" best to post a hijackthis log

[oldyella]

HI ALAN

I have been useing A SQUARED  TROJAN,, it works good iff set at [[deep scann ]]  found 6 trojans in a week

http://www.download.com/A-squared-Free/3000-2239_4-10262215.html?hhTest=1

[Jimbob]

Two things to check .... if you restored to a previous point maybe you re-infected yourself? Also you might check Avast again as a restore might have backed your updates with them as well?

JIM

[Alan-LB]

Jm

I have run Avast a second time after restoring - it found nothing.

An odd thing that I think is related - If I try to run "Windows Malicious Software Removal Tool" it starts up then terminates without doing anything.

I suspect something directed at Windows.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:27 PM, on 11/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleCDEject.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eldersweather.com.au/local.jsp?lt=aploc&lc=4408
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AppleCdEject] C:\WINDOWS\system32\AppleCDEject.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [d86063a6] rundll32.exe "C:\WINDOWS\system32\louoblvo.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FastStone Capture.lnk = C:\Program Files\FastStone Capture\FSCapture.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1211613664104
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159937929500
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7468 bytes

I am not sure how to interpret the HighjackThis log.  One thing I can't identify is "C:\WINDOWS\system32\louoblvo.dll"


TIA

Alan

[neonwizard]

louoblvo.dll is a bit strange you should post the log in one of the forums I posted to find out exactly what that is.

[Alan-LB]

I ran a Deep Scan using a2squared and it threw up 17 low-risk cookies and 1 low-risk file - mIRC - which I have used for years

I am removing louoblvo.dll and will see what happens. 

Thanks for all your help

Alan

PS:  removed the file but I still have the same problems

[neonwizard]

Try this running this removal tool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/. Install it and then go into Safe Mode and run the tool to see if it finds anything.

This is the exact reason I install VMWARE on my Mac and not Boot Camp.

[Alan-LB]

Hi Neon

I downloaded the program from Kasperski and ran it in Safe Mode.   It found 5 copies of "Trojan.Win32.Monderb.gen" and 1 copy of "Trojan.Win32.Monder.alx" which the program says it has removed.   It took 6 1/2 hours to run on a reasonable fast computer.   Neither trojan was picked up by any of the other scans I did.

However, I am still having the same problems today - I think it is a stealth virus that keeps changing its name and footprint to avoid detection and removal.

I will look in AVG, CA, Trend Micro virus information pages to see if I can get more information.

Thanks again for your help

Alan

[neonwizard]

You may be quicker formatting, You should have a look at Vmware fusion (best $130 I've ever spent) or Parallels that way if it happens again you just delete the install and copy over your backup. There is a trial version to test on you Mac

[Alan-LB]

I did a Google on Monderb.gen and ended up here - http://www.bleepingcomputer.com/forums/topic155141.html

I followed the instructions to run MalWareBytes removal tool and the program found 6 x Trojan.Vundo, 1 x Malware.trace and 1 x Rootkit.Agent files which the program removed correctly.

The computer is now clean and I no longer get unwanted Popups, I can run Windows Malicious Software Removal Tool and Windows Update.

The Kaspersky program looked as though it had removed Monderb.gen but the Trojan returned after rebooting.

References for anyone who is interested -
Vundo - http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=42097
Vundo/Monder - http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=71163

Moderators: It may be worth moving this thread to the "Virus/Popups/Walls...." forum for reference by others.

Thanks to everyone for help and suggestions.

Alan