Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi, yesterday i ran trend micro house call and was advised by it i had 1) infected non-cleanable.....C:\WINDOWS\SYSTEM\ClrSchPO54.exe and 2) can not access C:\ProgramFiles\ClearSearch\Loader.exe I removed number 2 yesterday but was unable to remove number 1 with hijackthis.......but number 2 has returned....i assume something to do with being unable to remove the first file in windows system.....it would be appreciated if you could give me some advise on how to remove this....
Ok, thanks I tried that a couple of times but the files and folders are still there. Any other suggestions......? thanks
Can you tell me how this will affect my pc as well please.
0 
Kerryn,
You can read about it here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_RULEDOR.C
Do you have HiJack This
You can post a log here and it can hopefully be removed using HT.
HIt scan, it turns to save log. Copy and post.
hth
shep
0
Thanks heaps for that Shep, I read that page and according to trend micro, it is no threat to my pc, so unless someone advises against it I think I'll leave it there. Anyway here's a copy of hijackthis.......hope there isnt anything there that shouldnt be.....this has been a headache enough......cheers.....
Logfile of HijackThis v1.97.7
Scan saved at 3:57:46 PM, on 17/12/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.exe
C:\PROGRAM FILES\KEMAILKB\KEMAILKB.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.exe
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.exe
C:\WINDOWS\SYSTEM\LEXBCES.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.exe
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 4.0 SE\CALCHECK.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.exe
C:\WINDOWS\SYSTEM\LEXPPS.exe
C:\PROGRAM FILES\BRAVO DIALER\DIALER.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bravo.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bravo.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bravo.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bravo.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bravo Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\PROGRAM FILES\E2G\IEBHOS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\GRISOFT\AVG7\AVGREGCL.exe /BOOT
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [WormsArmageddon.exe] C:\MYDOCU~1\WORMSA~1.exe /r
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMAILKB\KEMailKb.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Startup: Start GCN.lnk = C:\Program Files\avg70tr_148.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - User Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - User Startup: Start GCN.lnk = C:\Program Files\avg70tr_148.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37918.5719560185
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {04719992-296F-4958-AA0F-FA25FFA5008B} - http://www1.excite.com/ct/speedbar/x8bar1,0,2,3.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: ChatSpace Java Client 2.1.0.88L - http://216.65.197.84:8080/Java/cs4msl088.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} (Installer2 Class) - http://download.clipgenie.com/install/clipgenie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/r3un10n.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
again thanks......and bye
0
Hi kerryn, put a check mark next to
these lines, click fix checked and reboot.O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\PROGRAM FILES\E2G\IEBHOS.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
http://www.doxdesk.com/parasite/Transponder.htmlO4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [WormsArmageddon.exe] C:\MYDOCU~1\WORMSA~1.exe /rO15 - Trusted Zone: http://chat.msn.com
Not safe enough for that zone, my opinion.O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/r3un10n.cab
I may have missed something, good luck.
0
Thanks very muchly, I did all as you said cept for the msn one........i just wanted to find out first if i did that one, would i lose use of msn? I use the messanger a lot and would hate to mess it up......your help is appreciated, thanks......
0
I was not sure if you put that there.
Here is some info on trusted and
restricted sites.http://www.microsoft.com/windows/ie/using/howto/security/settings.asp
If you have any more problems,
I can see what I can do, or refer you
another site with more log readers.Good luck
0
OK......thanks very much for your help, this site has been very helpful and i will definately recommend it to friends and use it again......cheers......:D
0  |
 just did spybot s@d scan....
|
Peper Trojan??? Help
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
