Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Adw ruledor.c

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Adw ruledor.c

Reply to Message Icon

Name: vickietx
Date: December 15, 2003 at 08:54:20 Pacific
OS: Windows XP Home Edition V
CPU/Ram: 3.07 GHz 1.00 GB of ram
Comment:

I have done a trend micro virus scan, an AVG, ran Spybot, and hijack this. I was getting virus alerts from AVG about DOWNLOAD.SWIZZOR.C, and now am getting one for ADW RULEDOR.C. Trendmicro Housecall found that one.
Here is the result of my Hijack this scan:

Logfile of HijackThis v1.97.7
Scan saved at 10:53:04 AM, on 12/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\Screen Scapes Task.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\iClearSearch\ClrSchP026.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://Z885.find-quick.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us7.hpwis.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rpvg0cch.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rpvg0cch.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {7f12a03f-ac86-402e-a3ea-cc0d4909b35c} - C:\DOCUME~1\Owner\APPLIC~1\footstsca.dll (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_7_0.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: frthvstssli - {9b2cfc54-b626-471d-a81b-01d7452d82ea} - C:\DOCUME~1\Owner\APPLIC~1\footstsca.dll (file missing)
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - Startup: Screen Scapes Task.lnk = C:\WINDOWS\Screen Scapes Task.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://www.quantumss.com/ProjectManager/Demo/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = F16305.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = F16305.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3479423D-0E36-4A0C-AD2B-2410D8EAE180}: Domain = F16305.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{49059F41-1BE3-4DFC-A76D-40EDBCD2589B}: Domain = F16305.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E485A22-96C1-498A-B19B-C4D5E454D809}: NameServer = 151.164.166.201 151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = F16305.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3479423D-0E36-4A0C-AD2B-2410D8EAE180}: Domain = F16305.find-quick.com



Sponsored Link
Ads by Google

Response Number 1
Name: TheKid
Date: December 15, 2003 at 09:41:10 Pacific
Reply:

This help;

http://www.computing.net/security/wwwboard/forum/7752.html



0

Response Number 2
Name: sxshep
Date: December 15, 2003 at 10:13:15 Pacific
Reply:

Vickie,

Close all windows except Hijack This, put check marks and fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://Z885.find-quick.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

O2 - BHO: (no name) - {7f12a03f-ac86-402e-a3ea-cc0d4909b35c} - C:\DOCUME~1\Owner\APPLIC~1\footstsca.dll (file missing)

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

O3 - Toolbar: frthvstssli - {9b2cfc54-b626-471d-a81b-01d7452d82ea} - C:\DOCUME~1\Owner\APPLIC~1\footstsca.dll (file missing)

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = F16305.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = F16305.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3479423D-0E36-4A0C-AD2B-2410D8EAE180}: Domain = F16305.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{49059F41-1BE3-4DFC-A76D-40EDBCD2589B}: Domain = F16305.find-quick.com


O17 - HKLM\System\CCS\Services\Tcpip\..\{8E485A22-96C1-498A-B19B-C4D5E454D809}: NameServer = 151.164.166.201 151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = F16305.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3479423D-0E36-4A0C-AD2B-2410D8EAE180}: Domain = F16305.find-quick.com

Restart into safe mode and delete

C:\WINDOWS\iClearSearch\ClrSchP026.exe


The 017's are usually not good things, but take a look and see if any are keepers.

The 06 may be valid if you set it that way.

The ClearSearch stuff is Ruledor.C

Reboot and post another log

hth
shep


0

Response Number 3
Name: vickietx
Date: December 15, 2003 at 12:27:17 Pacific
Reply:

Ok, I did that and here is the results of my scan:

Logfile of HijackThis v1.97.7
Scan saved at 2:20:01 PM, on 12/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\Screen Scapes Task.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us7.hpwis.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rpvg0cch.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rpvg0cch.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_7_0.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - Startup: Screen Scapes Task.lnk = C:\WINDOWS\Screen Scapes Task.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://www.quantumss.com/ProjectManager/Demo/demonow.cab



0

Response Number 4
Name: sxshep
Date: December 15, 2003 at 12:41:25 Pacific
Reply:

Vickie,

Have you run your AV program again to see if it's gone?

You mentioned Spybot Search and Destroy, didn't see it. If not here is the Spybot Search & Destroy site. Download,update, run and delete all marked in red.

shep


0

Response Number 5
Name: vickietx
Date: December 15, 2003 at 13:02:07 Pacific
Reply:

Let me do those real quick. Yes, I have Spy Bot Search and Destroy on here. This is my work computer, so I have to get it fixed....
Thanks for all the help.
:-D


0

Related Posts

See More



Response Number 6
Name: vickietx
Date: December 15, 2003 at 13:25:16 Pacific
Reply:

AVG is still running. I did SpyBot and it FINALLY had the iclearsearch in there in red, so I "fixed" it.
Will let you know what the AVG scan shows as soon as it is done. I leave here at 3:30 CST, so I may not get back to you until tomorrow morning after 8:30 am.
Again, thank you for all your help.

Vickie


0

Response Number 7
Name: vickietx
Date: December 15, 2003 at 13:32:47 Pacific
Reply:

AVG is finished and it detected no virus's. It didnt earlier eiher though. IF these pop back up in the next day or so, I will be back to see what else to do. Do you want another hijackthis scan log?


0

Response Number 8
Name: sxshep
Date: December 15, 2003 at 14:19:13 Pacific
Reply:

Vickie,

Don't tink another log is needed right now, unless some of the others spot something.
If you run into anything new popping up I will monitor this thread for the next few days.
Glad things are looking up, and you are most welcome.

shep


0

Response Number 9
Name: vickietx
Date: December 16, 2003 at 07:17:34 Pacific
Reply:

Ok, it is Tuesday morning. I have been online for a bit doing various things, and nothing has popped up telling me I have a virus. I really appreciate the help I got in here and will recommend you to friends and family as a great place to go to for help. thanks a bunch, you guys are great!
Vickie


0

Response Number 10
Name: vickietx
Date: December 16, 2003 at 11:41:35 Pacific
Reply:

Ok, I got the popup now saying that the download.swizzor.c is still on my system from AVG. I ran Spy Bot again, nothing was found, and ran AVG scan, nothing was found there, either. Now what do I do?


0

Response Number 11
Name: sxshep
Date: December 16, 2003 at 12:24:24 Pacific
Reply:

Vickie,

Sorry to hear this.
In your above post you mentioned that AVG found it, is it in quarantine now? Then you said AVG didn't find it. Kinda confused.

Try running AVG in safe mode if it didn't put it in quarantine, see what happens.

It is a Lop varient and I didn't see signs of the application data entries usually associated with it.

If it finds it again and won't put it in quarantine make note of the file path and post a new log.

I'm @ work now and get home 5:30 Eastern, then be able to look over log.

shep


0

Response Number 12
Name: sxshep
Date: December 16, 2003 at 12:32:48 Pacific
Reply:


Forgot to mention, diable system restore, safe mode, scan, quarantine, reboot, and enable restore.

Later
shep


0

Response Number 13
Name: vickietx
Date: December 16, 2003 at 12:36:37 Pacific
Reply:

Shep,
It is weird. A window pops up telling me that AVG found a virus, what it is and to run AVG . When I run AVG, it finds nothing at all. It says everything is fine.
I am working on an XP here at work, and dont know how to disable all those things or start it in SafeMode. I run 98 SE2 at home and am more familiar with that. This XP has things in different places.


0

Response Number 14
Name: sxshep
Date: December 16, 2003 at 13:22:04 Pacific
Reply:

Vickie,

Safe mode = Click on Restart and start tapping the F8 key. Eventually it will boot to a funny looking sceen w/safe mode in the corners. Run your up to date avg from there.

But first:
Click on Start, right click on My Computer> Properties> System Restore, and put a check mark in the Turn off System Restore.

Then do your restart F8 thing and run AVG.

This proceedure has been known to work, as safe mode loads a minimal set of programs, and the System Restore off deal is on the chance that it is resident in the restore.

When thru, go back and take the check mark out and a new restore point will be created, hopefully without the trojan if there before.

Be Here
shep


0

Response Number 15
Name: sxshep
Date: December 16, 2003 at 13:23:40 Pacific
Reply:

And post log


0

Response Number 16
Name: vickietx
Date: December 16, 2003 at 13:29:45 Pacific
Reply:

Ok, herer it is. I will look at what you suggest tomorrow morning when I get into office. Thanks again,
Vickie

Logfile of HijackThis v1.97.7
Scan saved at 3:29:23 PM, on 12/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\Screen Scapes Task.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us7.hpwis.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rpvg0cch.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rpvg0cch.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_7_0.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - Startup: Screen Scapes Task.lnk = C:\WINDOWS\Screen Scapes Task.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://www.quantumss.com/ProjectManager/Demo/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E485A22-96C1-498A-B19B-C4D5E454D809}: NameServer = 151.164.166.201 151.164.1.8



0

Response Number 17
Name: sxshep
Date: December 17, 2003 at 04:15:08 Pacific
Reply:

Vickie,

Don't see anything wrong in your log.

I'm off to work, will check in from time to time to see how you made out.

shep


0

Response Number 18
Name: sxshep
Date: December 17, 2003 at 04:18:39 Pacific
Reply:

One more spyware program you ca try:

Lavasoft Adaware

Update it's definitions and run.

shep



0

Response Number 19
Name: vickietx
Date: December 17, 2003 at 07:26:45 Pacific
Reply:

Well, so far this morning hasnt popped anything up. But, I tried to go to safe mode and run AVG, and it just would not run for some reason.
I have ran AVG, SPYBOT, The AdWare, and SPYWARE Blaster.
Here I always thought I was so careful about things, and I got caught somehow...LOL
If I get another pop up from AVG saying that swizzor is here, I will let ou know. I have noticed, the file name always changes when it pops up. I dont know if that is relevant or not.
Thanks for all your help Shep. It is appreciated more than you know!
Vickie


0

Response Number 20
Name: sxshep
Date: December 17, 2003 at 08:56:13 Pacific
Reply:

Vickie,

Did you delete the 017 line with HT?
If not, do so. HT has a restore option which enables you to put back things. Not at home so I don't have HT here, look around the options.
Close all browser windows and delete, reboot.
Make a note in wordpad or something of the 017 line so you know what to look for .

I'm running out of ideas, but as I said 017 lines are rarely good.

shep


0

Response Number 21
Name: vickietx
Date: December 17, 2003 at 09:55:36 Pacific
Reply:

I have deleted that line 17 from Hijack this 2x now and it keeps coming back.
Scans from AVG and Spybot come up clean.
Off to lunch now.
Thank you,
Vickie


0

Response Number 22
Name: sxshep
Date: December 17, 2003 at 12:07:05 Pacific
Reply:

Vickie,

It is prob OK then, part of your SBC Yahoo set up.

Fingers crossed.

shep


0

Response Number 23
Name: sxshep
Date: December 17, 2003 at 12:47:26 Pacific
Reply:

Vickie,

Look at this post:

http://www.computing.net/security/wwwboard/forum/7564.html

Tom 41's reply is one we haven't tried.

shep


0

Response Number 24
Name: vickietx
Date: December 17, 2003 at 13:30:46 Pacific
Reply:

Shep,
Ok, cause I deleted it again, and it is back in there.
I looked at that folder above, and that is not in there.
I have not been at the computer all day, just off and on. I have not seen the AVG virus popup this afternoon, so that seems to be ok. But last time I said that....LOL
Hopefully we took care of it. IF it pops up again, I guess I will be back, but for now, it seems I am taken care of.
Thank you again and have a great day, and Merry Christmas and Happy New Year if I dont see you by then.
Vickie


0

Response Number 25
Name: sxshep
Date: December 17, 2003 at 14:41:59 Pacific
Reply:


Have a great holiday yourself. Hope all goes smoothly.

Take Care
shep

ps I'll keepit in MyFavorites for a while anyway


0

Sponsored Link
Ads by Google
Reply to Message Icon

Can't search from my Addr... AVG Update



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Adw ruledor.c
ADW Ruledor.c\loader.exe virus help www.computing.net/answers/security/adw-ruledorcloaderexe-virus-help/7698.html

ADW RULEDOR.C and friends! www.computing.net/answers/security/adw-ruledorc-and-friends/8271.html

Ruledor.c Trojan/hijack this log www.computing.net/answers/security/ruledorc-trojanhijack-this-log/8908.html