Help needed with trojan problem

Discussion in 'malware problems & news' started by sallybear, May 19, 2004.

Thread Status:
Not open for further replies.
  1. sallybear

    sallybear Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    Hi, Im new to this forum but wondered if you would be so kind as to help me.

    I am using Windows XP and have Avast version 4.1 home edition. I also regularly use Ad-aware, Reg Scrub XP and Spy Bot search and destroy. I have a pop up stopper from panicware running most of the time.

    I recently had a virus alert:

    Win32:Revop (trj)

    and since then i have had about 20 infections of

    Win32:Trojan-gen{vc}

    I have used avast to deal with these but each time i turn on my computer i seem to have one within about 30 minutes.

    I understand about turning the system restore off but also have a problem here. When I right click on My Computer in Windows Explorer to open the properties box I get the following messge:

    rundll32.exe - Entry point not found

    The procedure entry point RemoteAssistancePrepareSystemRestore could noy be located in the dynamic link library WINSTA.dll


    So if any of you clever people could help me i would really appreciate it.

    thanks Sallybear
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
  3. sallybear

    sallybear Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    Hi Paul, I read the link and as i already had the first two programs i assume you wanted to see my hijack log , so here it is:

    Logfile of HijackThis v1.97.7
    Scan saved at 07:41:19, on 20/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\unzipped\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3AD09ACB-EE3C-4B13-8371-38DD65947DCE} (HD300Controller Control) - http://192.168.1.10/HD300CTL.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx




    The thing i was also asking for help with was how to turn the system restore off as i feel this will fix my problem, but if you refer to my original message you will see the problem i am having doing thins,

    any help appreciated thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi sallybear,

    The first logical step would be to update Windows and IE.
    Since this will replace many system files with newer versions, this might very well solve your problem with System Restore.
    Then we'll take it from there.

    Regards,

    Pieter
     
  5. sallybear

    sallybear Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    Hi Pieter, everything is updated already and the system restore problem is still there
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Sally bear

    Your Log shows youa re running XP basic so it's not updated

    You need to update to SP1 and all critical updates and service packs

    go here, click Scan for updates in the main frame, and download and install all CRITICAL updates and service packs recommended.

    Many of the latest security fixes will not install without SP installed

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    if that way doesn't work then go to

    start/programs/acccessories/system tools/ system restore.. press on system restore settings and then follow prompts to turn off
     
  7. sallybear

    sallybear Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    Wow!! I amso shocked, i have SP1 on disk and installed it when i last installed XP, I willgo try again,also i have automatic updates installed and get the little pop up almost twice a week, but i will go and do this right away, thanks for the info
     
Loading...
Thread Status:
Not open for further replies.