automatic updates

[Guest]

About two weeks ago McAfee discovered a trojan on my computer (rpcreloc.exe)
and for the past two days, when I turn the computer on, it finds and delets a
trojan called DollarRevenue. Naturally I began to frantically examine all my
security settings, and one thing that I have noticed is that my 'Automatic
Updates' is turned off at startup. I click to have my system automatically
updated, click 'apply' and then close, and on the next startup is again
turned off.

Any ideas what might be causing this? Is one of those trojans doing it or
is there a conflict with some other security setting?

 

[DL]

Then your PC is infected with malaware.
Turn off system restore, then scan with updated MS Defender, Spybot and
Adaware
See also
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Only when your sys is clean, turn system restore back on

 

[Guest]

DL, thank you for your very prompt reply. For two days now I have been
scanning with Windows Defender, McAfee, SpyBot and AdAware, but the problem
remains.

A few cookies were found (shown in red, so I deleted them) but the real
trouble, I think, is this thing that McAfee keeps finding:

C:\Windows\rpcreloc.exe infected Trojan name: New Malware.j

Each time I run the scan it finds two instances of this, and lists them like
they're brand new, and tells me that the file cannot be cleaned.

SpyBot also found something called "Zlob Downloader", which was successfully
deleted. It also found:

Antivirus Disable Notify
Antivirus Override
Firewall Disable Override
Firewall Override
SP2 Update
Update Disable Override

While these things look like something that might be associated with Windows
operations they were listed in red so I deleted them. I've noticed no
difference in pc performance for doing so. (yet)

After running the scans, turning on system restore, rebooting..... doing
everything I can think of (which, granted, for a non-tech type is not much)
the Automatic Update will reset to "off" as soon as I do anything at all,
even play solitaire.

Needless to say, I'm pretty much at a loss here.

 

[DL]

Did you try / run the apps shown here (McFee stinger & Trend)?
http://www.claymania.com/removal-trojan-adware.html

 

[Guest]

Still trying to rid machine of this thing.....

I did as you suggested, downloaded the Stinger and Trend Micro utilities and
ran them, however, I encountered a difficulty.

I cannot start my machine in 'safe mode', it is not listed on the options I
have after pressing F8.

Press F8 while the Gateway logo screen is up and it brings up a black screen
with a blue box, and the box reads like this:

Please select boot device:
ATAPI CD-ROM
Removable Device
Hard Drive
Intel (R) Boot Agent VE

Use arrow keys to change selection
Use ENTER to select and save
Use ESCAPE to exit without save

I'm not that brave, so the only things I have tried are hitting escape and
selecting 'hard drive' - neither of them worked

One other thing that might be hampering this process is that I have a
Windows welcome screen with two user's desktops on it? Would that matter to
safe mode or does it simply bypass that screen?

McAfee warns me at startup now that it has found a problem, so I tell the
screen "yes, I know" *sigh*

 

[Guest]

good news, DL! found these instructions from Patrick Keenan on another post
and was able to access safe mode -- I knew right where that nasty little file
was and I deleted it, and McAfee now cannot find it

thanks for all your help! you guys are the best

instructions for getting into safe mode:
Since you know what the file name is, you should also know where it is.
Often these files are stored either in a temporary file folder or in one of
teh Windows folders, either Windows or the \system32 folder.

Restart the sytem in Safe Mode and you should be able to remove the file.

To start the system in Safe Mode, either press F8 at startup or got to
start, run, type msconfig and press enter. On the Boot.ini tab, select
"/safeboot". Restart the system - it will come up in Safe Mode. Use the
Administrator account to locate the file and delete it. When you're done,
rerun msconfig and remove the /safeboot setting.

You may need to turn on, in Explorer, viewing hidden and system files:
Open Explorer, and use Tools, Folder Options, View, Show Hidden Files and
Folders and de-select Hide Protected Operating System Files.


Once the file is removed and the system is restarted in regular mode, you
might be presented with an error message from whatever was loading the
trojan (you also might not). You should be able to locate this fairly
easily with msconfig, and disable it or manually remove it.

There may be a copy of the file in a (now infected) restore point, which is
why you turn System Restore off then on again *after* removing the file.
But when you do that, make sure that you create a new restore point.