error 1058 and automatic updates

#1 (**permalink**) 06-14-2008

im trying to turn on my automatic updates and the services.msc is not
working. it displays error 1058 everytime. i think i have the malware vundo
cuz im getting these pop up ads. how do i get rid of this?
--
hmph.....

#2 (**permalink**) 06-14-2008

You cannot manually start the Automatic Updates service and you receive an
"Error 1058" error message on a computer that is running Windows XP or
Windows XP Tablet PC Edition 2005:
<http://support.microsoft.com/kb/896224>

Please let us know if the problem remains
- -- ---

"dirtydboi" wrote:

> im trying to turn on my automatic updates and the services.msc is not
> working. it displays error 1058 everytime. i think i have the malware vundo
> cuz im getting these pop up ads. how do i get rid of this?
> --
> hmph.....

#3 (**permalink**) 06-14-2008

Hello,

Insure that your system is malware-free /first/ before getting windows updates.
Thoroughly scan the system with your updated anti-virus and anti-malware program.
Document the results so you can have them for posting on an anti-malware forum ---- not here.

Use Windows' Disk Cleanup to delete all temporary files.

Download & save Malwarebytes Anti-Malware from
http://www.besttechie.net/tools/mbam-setup.exe or
http://www.majorgeeks.com/Malwarebyt...are_d5756.html
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in a new reply as soon as it has finished.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

MBAM is an excellent first-line program to use and keep.

Run a /thorough/ check for malware, including posting your HijackThis log to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. ** Post your log to one (and only one) of the following
http://aumha.net/viewforum.php?f=30,
http://www.bleepingcomputer.com/forums/forum22.html,
http://castlecops.com/forum67.html,
http://forum.malwareremoval.com/viewforum.php?f=11
http://forums.spywareinfo.com/index.php?showforum=18
http://www.spywarewarrior.com/viewfo...a7ab9210 f7ae,
http://forums.subratam.org/index.php?showforum=7,
http://forums.spybot.info/forumdisplay.php?f=22
or other appropriate forums for expert analysis, not here.**

Make very sure you read and follow the very topmost instructions at the forum you have selected.

--
Maurice N
MS-MVP (Windows Client) , Aumha.net VSOP , DTS-L
-----

"dirtydboi" <dirtydboi@discussions.microsoft.com> wrote in message news:5A50927B-861A-40F7-B572-34C6B1BF32C3@microsoft.com...
> im trying to turn on my automatic updates and the services.msc is not
> working. it displays error 1058 everytime. i think i have the malware vundo
> cuz im getting these pop up ads. how do i get rid of this?
> --
> hmph.....

#4 (**permalink**) 11-10-2008

Maurice N You are the *man*!!!!!

--
Fusay
------------------------------------------------------------------------
Fusay's Profile: http://forums.techarena.in/members/fusay.htm
View this thread: http://forums.techarena.in/windows-update/986120.htm

http://forums.techarena.in

#5 (**permalink**) 11-22-2008

A log like this:
Malwarebytes' Anti-Malware 1.30
Database version: 1416
Windows 5.1.2600 Service Pack 2

11/22/2008 4:09:06 PM
mbam-log-2008-11-22 (16-09-06).txt

Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 181228
Time elapsed: 58 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 23
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccyAssQ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xkjkbrtp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMcyApQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aoketd.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
Helper Objects\{ba410704-aff3-46df-9184-11c396259301} (Trojan.Vundo.H) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ba410704-aff3-46df-9184-11c396259301}
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
Helper Objects\{d9eec67f-e979-4394-af25-98dbc5ea7bbb} (Trojan.Vundo.H) ->
Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\qomcyapq (Trojan.Vundo.H) -> Delete on
reboot.
HKEY_CLASSES_ROOT\CLSID\{d9eec67f-e979-4394-af25-98dbc5ea7bbb}
(Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
Helper Objects\{f3ab47d7-ddde-45d2-a22d-1a7bb41090ba} (Trojan.Vundo.H) ->
Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f3ab47d7-ddde-45d2-a22d-1a7bb41090ba}
(Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{d9eec67f-e979-4394-af25-98dbc5ea7bbb}
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{ba410704-aff3-46df-9184-11c396259301}
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{f3ab47d7-ddde-45d2-a22d-1a7bb41090ba}
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bd5258af-20ae-4bd3-b748-b2851aca7335}
(Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3}
(Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{4a40e8fc-c7e4-4f57-9fa4-85dd77402897}
(Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined
and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ModuleUsage\c:/windows/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined
and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined
and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined
and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined
and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\49bdd6ca
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{d9eec67f-e979-4394-af25-98dbc5ea7bbb}
(Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\ShellBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d}
(Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification
Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccyassq ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication
Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccyassq -> Delete on
reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs
(Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted
successfully.

Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\RegistrySmart
(Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application
Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted
successfully.

Files Infected:
C:\WINDOWS\system32\aoketd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMcyApQ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fccyAssQ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\QssAyccf.ini (Trojan.Vundo.H) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\QssAyccf.ini2 (Trojan.Vundo.H) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\nkcbusuh.dll (Trojan.Vundo.H) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\husubckn.ini (Trojan.Vundo.H) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\xkjkbrtp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ptrbkjkx.ini (Trojan.Vundo.H) -> Quarantined and deleted
successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet
Files\Content.IE5\4D6VC5YV\kb600179[1] (Trojan.Vundo) -> Quarantined and
deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP950\A0087684.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP951\A0087705.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP951\A0087714.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP951\A0088727.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP956\A0088919.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP957\A0089105.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP958\A0089181.dll
(Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\cekkeikx.dll (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\qoMdbCrr.dll (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\Documents and Settings\HP_Administrator\Application
Data\RegistrySmart\Log\2008 Mar 09 - 09_35_29 AM_343.log
(Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application
Data\RegistrySmart\Log\2008 Mar 09 - 09_35_32 AM_406.log
(Rogue.RegistrySmart) -> Quarantined and deleted successfully.

"Maurice N ~ MVP" wrote:

> Hello,
>
> Insure that your system is malware-free /first/ before getting windows updates.
> Thoroughly scan the system with your updated anti-virus and anti-malware program.
> Document the results so you can have them for posting on an anti-malware forum ---- not here.
>
> Use Windows' Disk Cleanup to delete all temporary files.
>
> Download & save Malwarebytes Anti-Malware from
> http://www.besttechie.net/tools/mbam-setup.exe or
> http://www.majorgeeks.com/Malwarebyt...are_d5756.html
> Double Click mbam-setup.exe to install the application.
> Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
> If an update is found, it will download and install the latest version.
> Once the program has loaded, select Perform FULL Scan, then click Scan.
> The scan may take some time to finish,so please be patient.
> When the scan is complete, click OK, then Show Results to view the results.
> Make sure that everything is checked, and click Remove Selected.
> When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
> The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
> Copy & Paste the entire report in a new reply as soon as it has finished.
> Extra Note:
> If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
> click OK to either and let MBAM proceed with the disinfection process.
> If asked to restart the computer, please do so immediately.
>
> MBAM is an excellent first-line program to use and keep.
>
> Run a /thorough/ check for malware, including posting your HijackThis log to an appropriate forum.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_R...:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine.blogspot.com/
> http://www.elephantboycomputers.com/...moving_Malware
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware with
> assistance from an expert. ** Post your log to one (and only one) of the following
> http://aumha.net/viewforum.php?f=30,
> http://www.bleepingcomputer.com/forums/forum22.html,
> http://castlecops.com/forum67.html,
> http://forum.malwareremoval.com/viewforum.php?f=11
> http://forums.spywareinfo.com/index.php?showforum=18
> http://www.spywarewarrior.com/viewfo...a7ab9210 f7ae,
> http://forums.subratam.org/index.php?showforum=7,
> http://forums.spybot.info/forumdisplay.php?f=22
> or other appropriate forums for expert analysis, not here.**
>
> Make very sure you read and follow the very topmost instructions at the forum you have selected.
>
> --
> Maurice N
> MS-MVP (Windows Client) , Aumha.net VSOP , DTS-L
> -----
>
> "dirtydboi" <dirtydboi@discussions.microsoft.com> wrote in message news:5A50927B-861A-40F7-B572-34C6B1BF32C3@microsoft.com...
> > im trying to turn on my automatic updates and the services.msc is not
> > working. it displays error 1058 everytime. i think i have the malware vundo
> > cuz im getting these pop up ads. how do i get rid of this?
> > --
> > hmph.....
>

#6 (**permalink**) 11-23-2008

1. Always begin a new thread about *your* problems.

2. We do not interpret MBAM or HijackThis logs in the public newsgroups.

3. Repost:
>> When all else fails, HijackThis v2.0.2
>> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to
>> use.
>> It will help you to both identify and remove any hijackware/spyware with
>> assistance from an expert. ** Post your log to one (and only one) of
>> the
>> following http://aumha.net/viewforum.php?f=30,
>> http://www.bleepingcomputer.com/forums/forum22.html,
>> http://castlecops.com/forum67.html,
>> http://forum.malwareremoval.com/viewforum.php?f=11
>> http://forums.spywareinfo.com/index.php?showforum=18
>>
>> http://www.spywarewarrior.com/viewfo...a7ab9210 f7ae,
>> http://forums.subratam.org/index.php?showforum=7,
>> http://forums.spybot.info/forumdisplay.php?f=22
>> or other appropriate forums for expert analysis, not here.**

PS: You've got a *lot* more work to do!
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Paul wrote:
> A log like this:
> Malwarebytes' Anti-Malware 1.30
> Database version: 1416
> Windows 5.1.2600 Service Pack 2
>
> 11/22/2008 4:09:06 PM
> mbam-log-2008-11-22 (16-09-06).txt
>
> Scan type: Full Scan (C:\|D:\|K:\|)
> Objects scanned: 181228
> Time elapsed: 58 minute(s), 5 second(s)
>
> Memory Processes Infected: 0
> Memory Modules Infected: 4
> Registry Keys Infected: 23
> Registry Values Infected: 4
> Registry Data Items Infected: 3
> Folders Infected: 2
> Files Infected: 22
>
> Memory Processes Infected:
> (No malicious items detected)
>
> Memory Modules Infected:
> C:\WINDOWS\system32\fccyAssQ.dll (Trojan.Vundo.H) -> Delete on reboot.
> C:\WINDOWS\system32\xkjkbrtp.dll (Trojan.Vundo.H) -> Delete on reboot.
> C:\WINDOWS\system32\qoMcyApQ.dll (Trojan.Vundo) -> Delete on reboot.
> C:\WINDOWS\system32\aoketd.dll (Trojan.Vundo) -> Delete on reboot.
>
> Registry Keys Infected:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
> Helper Objects\{ba410704-aff3-46df-9184-11c396259301} (Trojan.Vundo.H) ->
> Quarantined and deleted successfully.
> HKEY_CLASSES_ROOT\CLSID\{ba410704-aff3-46df-9184-11c396259301}
> (Trojan.Vundo.H) -> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
> Helper Objects\{d9eec67f-e979-4394-af25-98dbc5ea7bbb} (Trojan.Vundo.H) ->
> Delete on reboot.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify\qomcyapq (Trojan.Vundo.H) -> Delete on
> reboot.
> HKEY_CLASSES_ROOT\CLSID\{d9eec67f-e979-4394-af25-98dbc5ea7bbb}
> (Trojan.Vundo.H) -> Delete on reboot.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
> Helper Objects\{f3ab47d7-ddde-45d2-a22d-1a7bb41090ba} (Trojan.Vundo.H) ->
> Delete on reboot.
> HKEY_CLASSES_ROOT\CLSID\{f3ab47d7-ddde-45d2-a22d-1a7bb41090ba}
> (Trojan.Vundo.H) -> Delete on reboot.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{d9eec67f-e979-4394-af25-98dbc5ea7bbb}
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{ba410704-aff3-46df-9184-11c396259301}
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{f3ab47d7-ddde-45d2-a22d-1a7bb41090ba}
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> HKEY_CLASSES_ROOT\Interface\{bd5258af-20ae-4bd3-b748-b2851aca7335}
> (Adware.Seekmo) -> Quarantined and deleted successfully.
> HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3}
> (Adware.Coupons) -> Quarantined and deleted successfully.
> HKEY_CLASSES_ROOT\AppID\{4a40e8fc-c7e4-4f57-9fa4-85dd77402897}
> (Adware.Seekmo) -> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
> Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) ->
> Quarantined
> and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ModuleUsage\c:/windows/cpbrkpie.ocx
> (Adware.Coupons) -> Quarantined and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) ->
> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) ->
> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) ->
> Quarantined
> and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined
> and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) ->
> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined
> and
> deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined
> and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) ->
> Quarantined
> and deleted successfully.
>
> Registry Values Infected:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\49bdd6ca
> (Trojan.Vundo.H) -> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{d9eec67f-e979-4394-af25-98dbc5ea7bbb}
> (Trojan.Vundo) -> Delete on reboot.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
> Explorer\Toolbar\ShellBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d}
> (Adware.Zango) -> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\WINDOWS\cpbrkpie.ocx
> (Adware.Coupons) -> Quarantined and deleted successfully.
>
> Registry Data Items Infected:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification
> Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccyassq ->
> Quarantined and deleted successfully.
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication
> Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccyassq -> Delete
> on
> reboot.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs
> (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted
> successfully.
>
> Folders Infected:
> C:\Documents and Settings\HP_Administrator\Application Data\RegistrySmart
> (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
> C:\Documents and Settings\HP_Administrator\Application
> Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted
> successfully.
>
> Files Infected:
> C:\WINDOWS\system32\aoketd.dll (Trojan.Vundo.H) -> Delete on reboot.
> C:\WINDOWS\system32\qoMcyApQ.dll (Trojan.Vundo.H) -> Delete on reboot.
> C:\WINDOWS\system32\fccyAssQ.dll (Trojan.Vundo.H) -> Delete on reboot.
> C:\WINDOWS\system32\QssAyccf.ini (Trojan.Vundo.H) -> Quarantined and
> deleted
> successfully.
> C:\WINDOWS\system32\QssAyccf.ini2 (Trojan.Vundo.H) -> Quarantined and
> deleted successfully.
> C:\WINDOWS\system32\nkcbusuh.dll (Trojan.Vundo.H) -> Quarantined and
> deleted
> successfully.
> C:\WINDOWS\system32\husubckn.ini (Trojan.Vundo.H) -> Quarantined and
> deleted
> successfully.
> C:\WINDOWS\system32\xkjkbrtp.dll (Trojan.Vundo.H) -> Delete on reboot.
> C:\WINDOWS\system32\ptrbkjkx.ini (Trojan.Vundo.H) -> Quarantined and
> deleted
> successfully.
> C:\Documents and Settings\HP_Administrator\Local Settings\Temporary
> Internet
> Files\Content.IE5\4D6VC5YV\kb600179[1] (Trojan.Vundo) -> Quarantined and
> deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP950\A0087684.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP951\A0087705.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP951\A0087714.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP951\A0088727.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP956\A0088919.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP957\A0089105.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\System Volume
> Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP958\A0089181.dll
> (Trojan.Vundo) -> Quarantined and deleted successfully.
> C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted
> successfully.
> C:\WINDOWS\system32\cekkeikx.dll (Trojan.Vundo) -> Quarantined and deleted
> successfully.
> C:\WINDOWS\system32\qoMdbCrr.dll (Trojan.Vundo) -> Quarantined and deleted
> successfully.
> C:\Documents and Settings\HP_Administrator\Application
> Data\RegistrySmart\Log\2008 Mar 09 - 09_35_29 AM_343.log
> (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
> C:\Documents and Settings\HP_Administrator\Application
> Data\RegistrySmart\Log\2008 Mar 09 - 09_35_32 AM_406.log
> (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
>
>
> "Maurice N ~ MVP" wrote:
>
>> Hello,
>>
>> Insure that your system is malware-free /first/ before getting windows
>> updates.
>> Thoroughly scan the system with your updated anti-virus and anti-malware
>> program.
>> Document the results so you can have them for posting on an anti-malware
>> forum ---- not here.
>>
>> Use Windows' Disk Cleanup to delete all temporary files.
>>
>> Download & save Malwarebytes Anti-Malware from
>> http://www.besttechie.net/tools/mbam-setup.exe or
>> http://www.majorgeeks.com/Malwarebyt...are_d5756.html
>> Double Click mbam-setup.exe to install the application.
>> Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware
>> and Launch Malwarebytes Anti-Malware, then click Finish. If an update is
>> found, it will download and install the latest version.
>> Once the program has loaded, select Perform FULL Scan, then click Scan.
>> The scan may take some time to finish,so please be patient.
>> When the scan is complete, click OK, then Show Results to view the
>> results.
>> Make sure that everything is checked, and click Remove Selected.
>> When disinfection is completed, a log will open in Notepad and you may be
>> prompted to Restart.(See Extra Note)
>> The log is automatically saved by MBAM and can be viewed by clicking the
>> Logs tab in MBAM.
>> Copy & Paste the entire report in a new reply as soon as it has finished.
>> Extra Note:
>> If MBAM encounters a file that is difficult to remove, you will be
>> presented with 1 of 2 prompts.
>> click OK to either and let MBAM proceed with the disinfection process.
>> If asked to restart the computer, please do so immediately.
>>
>> MBAM is an excellent first-line program to use and keep.
>>
>> Run a /thorough/ check for malware, including posting your HijackThis log
>> to an appropriate forum.
>>
>> Checking for/Help with Hijackware
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://aumha.net/viewtopic.php?t=5878
>> http://wiki.castlecops.com/Malware_R...:_Introduction
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot.html
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://defendingyourmachine.blogspot.com/
>> http://www.elephantboycomputers.com/...moving_Malware
>>
>> When all else fails, HijackThis v2.0.2
>> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to
>> use.
>> It will help you to both identify and remove any hijackware/spyware with
>> assistance from an expert. ** Post your log to one (and only one) of
>> the
>> following http://aumha.net/viewforum.php?f=30,
>> http://www.bleepingcomputer.com/forums/forum22.html,
>> http://castlecops.com/forum67.html,
>> http://forum.malwareremoval.com/viewforum.php?f=11
>> http://forums.spywareinfo.com/index.php?showforum=18
>>
>> http://www.spywarewarrior.com/viewfo...a7ab9210 f7ae,
>> http://forums.subratam.org/index.php?showforum=7,
>> http://forums.spybot.info/forumdisplay.php?f=22
>> or other appropriate forums for expert analysis, not here.**
>>
>> Make very sure you read and follow the very topmost instructions at the
>> forum you have selected.
>>
>> --
>> Maurice N
>> MS-MVP (Windows Client) , Aumha.net VSOP , DTS-L
>> -----
>>
>> "dirtydboi" <dirtydboi@discussions.microsoft.com> wrote in message
>> news:5A50927B-861A-40F7-B572-34C6B1BF32C3@microsoft.com...
>>> im trying to turn on my automatic updates and the services.msc is not
>>> working. it displays error 1058 everytime. i think i have the malware
>>> vundo cuz im getting these pop up ads. how do i get rid of this?
>>> --
>>> hmph.....

#7 (**permalink**) 12-12-2008

Yeah I got the same trouble and did what Maurice said Malwarebytes' is
frickin awsome. I had a problem like this before and problem was every
time u ran the scan it found the trojans but couldnt delete em cos they
r running programs that delete on reboot is gr8. I guess it deletes em
b4 they can start their programs! So glad of this cos I was scared
****less when I saw all those random ads poping up. Also btw if anyones
thinking of joining Barclays Bank don't one of the ads was theirs. I
guess they've resorted to infecting people's computers with viruses for
advertising. Funny cos that advert propably has much more a negative
effect than positive for example I vow never to even think of joining
barclays for that grief it gave me the *******s.

--
Dbcooper
------------------------------------------------------------------------
Dbcooper's Profile: http://forums.techarena.in/members/dbcooper.htm
View this thread: http://forums.techarena.in/windows-update/986120.htm

http://forums.techarena.in

#8 (**permalink**) 12-21-2008

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/21/2008 8:54:25 AM
mbam-log-2008-12-21 (08-54-25).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 421581
Time elapsed: 2 hour(s), 10 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\nnnliFyw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hgGywUnK.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{22357569-6a4d-4d7a-8590-d22daf8f5bfd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{22357569-6a4d-4d7a-8590-d22daf8f5bfd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{22357569-6a4d-4d7a-8590-d22daf8f5bfd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggywunk (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlifyw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlifyw -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nnnliFyw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wyFilnnn.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wyFilnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jlhcjalk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\klajchlj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGywUnK.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Common\_helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Taylors account\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

#9 (**permalink**) 12-21-2008

Why did you post the MBAM log? You've got a lot more work to do.

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/ma...e/default.mspx

2. Run this online scan (in safe mode w/networking, if need be):
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run additional checks for hijackware, including posting your hijackthis
log to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
=====================
Start a free Windows Update support incident request:
https://support.microsoft.com/oas/de...spx?gprid=6527

Support for Windows Update:
http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated with
security updates.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

TT wrote:
> Malwarebytes' Anti-Malware 1.31
> Database version: 1456
> Windows 5.1.2600 Service Pack 3
>
> 12/21/2008 8:54:25 AM
> mbam-log-2008-12-21 (08-54-25).txt
>
> Scan type: Full Scan (C:\|F:\|)
> Objects scanned: 421581
> Time elapsed: 2 hour(s), 10 minute(s), 38 second(s)
>
> Memory Processes Infected: 1
> Memory Modules Infected: 2
> Registry Keys Infected: 22
> Registry Values Infected: 3
> Registry Data Items Infected: 2
> Folders Infected: 0
> Files Infected: 10
<snip>

#10 (**permalink**) 12-23-2008

i have the same problem. did you fix it? i need help

"dirtydboi" wrote:

> im trying to turn on my automatic updates and the services.msc is not
> working. it displays error 1058 everytime. i think i have the malware vundo
> cuz im getting these pop up ads. how do i get rid of this?
> --
> hmph.....

error 1058 and automatic updates

microsoft.public.windowsupdate