Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RUNDLL and System Restore issues.


  • This topic is locked This topic is locked
3 replies to this topic

#1 dave1972

dave1972

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 04 January 2010 - 04:52 PM

Hi all! I'm having some issues with my eeePC Netbook running Windows XP which I hope some of you can help me to resolve. I have had previous problems with trojans/viri which can be reviewed at THIS thread.
One of these issues (manual removal of a trojan) has yet to be resolved because Norton antivirus recommends that I turn off System Restore and restart to eliminate the trojan. Problem is, I cannot get a System Restore tab anywhere on my computer and I am an administrator!

Recently I've also been getting the following message on screen after a slow startup...

A box with RUNDLL as the heading, a large red X and a message which states ...
"Error loading C:\WINDOWS\iyowazucocal.dll .The specified module could not be found. OK"

What on earth is this and does it have anything to do with the System Restore issue?

Thanks for any help!

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 04 January 2010 - 10:47 PM

Recently I've also been getting the following message on screen after a slow startup...

A box with RUNDLL as the heading, a large red X and a message which states ...
"Error loading C:\WINDOWS\iyowazucocal.dll .The specified module could not be found. OK"

What on earth is this and does it have anything to do with the System Restore issue?

Thanks for any help!

The .dll is typical of the malware infection that you had or have. At the least it means your registry was not cleaned up from the infection or you've been reinfected as indcated from this in your other thread:
http://www.bleepingcomputer.com/forums/ind...t&p=1559100

I've also got a warning from Norton that I have an unresolved security threat on my comp. It is called Backdoor.Tidserv.l!inf and requires manual removal.
Norton advises the following ...
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.

Im not sure if System Restore is enabled or disabled?

This infection may have denied you the ability to use System Restore (SR), otherwise it has nothing to do with it.

One of these issues (manual removal of a trojan) has yet to be resolved because Norton antivirus recommends that I turn off System Restore and restart to eliminate the trojan. Problem is, I cannot get a System Restore tab anywhere on my computer and I am an administrator!

Despite what Symantec says, disabling SR beforehand is not required for malware removal. You still need to delete all restore points because infecting files are usually backed up in Restore Points, but you can wait til after cleanup instead of doing it before. So i would concentrate on being sure you are cleaned up first then look at the SR issue.

But to give you some insight as to what is going on, this message you posted in the other thread is key:
http://www.bleepingcomputer.com/forums/ind...t&p=1557556

...a window message box pops up telling me that "System Restore has been turned off by group policy. To turn on System Restore contact your domain Administrator".

The other method I had described previously also shows no System Restore Tab.

Strange. I am an administrator. When I try to access this under Safe Mode I can see my both my account - "Dave" and "Administrator" which are both admin accounts. Maybe something has switched this off?

This tells me that the Group Policy Editor in XP (probably XP Pro, is this what you're using?) has been used to deny you permission to control System Restore. It's not a matter of being turned on or off, you don't have access to those controls period--that's why you don't see the SR tab. Even any accounts with Administrator rights can be denied permission by group policy to do certain tasks. XP Pro was designed for a business environment and this feature gives a system administrator, who has control over not one, but a group of networked computers, a means of enforcing company policy for the computers its employees are using.

It is also possible that Norton has used the Group Policy Editor to deny permission to access SR as a means of self-protection. I suggest the first thing you do is go to the following page, follow the instructions for disabling the AutoProtect feature, then see if the SR tab re-appears:
http://service1.symantec.com/SUPPORT/share...005113009323013

Let us know how it goes. Whether successful or not, my next step would be to go to the following page and follow all the relevant instructions:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

The Tidserv trojan is very difficult to remove completely--I would trust the manual removal done in the BC forums much more than instructions you get from Symantec. If you still have a problem with access to SR after cleanup, then ask your helper or come back to this thread for more assistance.
And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#3 dave1972

dave1972
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 05 January 2010 - 06:27 PM

Thanks Papakid for the quick response and advice.
I've started a new thread as you have advised. It can be seen HERE.

PS. Running XP HOME edition.

Regards.

Dave.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 32,872 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:10 PM

Posted 05 January 2010 - 08:37 PM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 05 January 2010 - 08:38 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users