I have the adw ruledor.c virus. It will not allow my norton live update to operate and will not allow my Norton program to open. I have run the Hijackthis.zip file and this is what it found: Logfile of HijackThis v1.97.7 Scan saved at 2:50:02 PM, on 1/6/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\WINDOWS\System32\Ati2evxx.exe E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe E:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe E:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\Explorer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\Mixer.exe E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe C:\WINDOWS\System32\taskswitch.exe D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe E:\Program Files\ATI Multimedia\main\launchpd.exe C:\WINDOWS\System32\ctfmon.exe D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\System32\rundll32.exe E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 3.7\THGuard.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [Acronis True Image Monitor] d:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: APC UPS Status.lnk = E:\Program Files\APC\APC PowerChute Personal Edition\Display.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Fill Forms (HKLM) O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM) O9 - Extra button: Save (HKLM) O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM) O9 - Extra button: ATI TV (HKLM) O9 - Extra button: RoboForm (HKLM) O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Real.com (HKLM) O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.6221296296 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Please help me, sv

found here QUICK LINKS Solution ---------------------- Virus type: Not a Virus Destructive: No Aliases: Backdoor.Ruledor.C Pattern file needed: 115 Scan engine needed: 6.700 Overall risk rating: Very Low ---------------------- Description: This memory-resident adware program downloads and installs several applications into the system without first notifying the user. The installed applications mostly have adware functionalities as well. Solution: Identifying the Adware Program Before proceeding to remove this adware, first identify the adware program. Scan your system with Trend Micro antivirus and NOTE all files detected as ADW_RULEDOR.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Terminating the Adware Program This procedure terminates the running adware process from memory. You will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs*, locate the adware file or files detected earlier. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. Do the same for all detected adware files in the list of running processes. To check if the adware process has been terminated, close Task Manager, and then open it again. Close Task Manager. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the adware from executing during startup. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries whose data value is any of the following: ClrSchLoader {2CF0B992-5EEB-4143-99C0-5297EF71F444} UpdateStats couponsandoffers IEDriver WhenUSave RunWindowsUpdate POP AutoUpdater NOTE: If you were not able to terminate the adware process from memory as described in the previous procedure, restart your system. Uninstalling Applications This procedure uninstalls the different applications installed by the adware. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs, locate the following processes: Popsrv205.exe sysmond.exe hxdl.exe autoupdate.exe iedriver.exe uptodate.exe couponsandoffers.exe save.exe updatestats.exe sync.exe Select each process then press either the End Task or the End Process button, depending on the version of Windows on your system. Removing Other Adware Entries from the Registry Still in the Registry Editor, look for the following registry keys and delete them: HKEY_LOCAL_MACHINE>SOFTWARE>ClrSch HKEY_LOCAL_MACHINE>SOFTWARE>Lycos>Sidesearch HKEY_LOCAL_MACHINE>SOFTWARE>StatBlaster HKEY_LOCAL_MACHINE>SOFTWARE>{2CF0B992-5EEB-4143-99C0-5297EF71F444} HKEY_LOCAL_MACHINE>SOFTWARE>WhenUSave HKEY_LOCAL_MACHINE>SOFTWARE>TurboDownload HKEY_LOCAL_MACHINE>SOFTWARE>POP HKEY_LOCAL_MACHINE>SOFTWARE>Envolo HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows> CurrentVersion>Uninstall>Lycos Sidesearch HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows> CurrentVersion>Uninstall>StatBlaster HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows> CurrentVersion>Uninstall>{F20239CB-33DC-4ec6-959E-73EDEA0FE4D7} HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>{BC3BBF86-E4EC-4412-9676-8355468B3B05} HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion >Uninstall>{14D108C8-DD97-4b78-8B50-C981500ABB8F} HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>{1A00C40B-DA85-4aa3-A67F-582D9347EECD} HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>ClockSync HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>POP HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>AMServer HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>AutoUpdate HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> Uninstall>couponsandoffers1.xml HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion> explorer>Browser Helper Objects HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Toolbar HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Extensions HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer> Explorer Bars Deleting Adware Files and Folder Locate and delete the following files: %Root%\setup_td.exe %Root%\icinstaller.exe %Root%\SaveInstCm.exe %Root%\ezsb.exe %Root%\couponsandoffers1.exe %Root%\HXDLAZWM.exe %Root%\uptodate.exe %Root%\stlbdist.XML %System%\stlbdist.DLL %System%\mseoxcl40.dll %System%\sx.htm %System%\TD.exe %System%\sb.htm %System%\auto_update_uninstall.exe %System%\auto_update_uninstall.log %Start Menu%\Lycos Sidesearch.lnk %Start Menu%\ClockSync %desktop%\Lycos Sidesearch.lnk In the Program Files folder, locate and delete the following folders and file: AutoUpdate POP ClockSync Save couponsandoffers Alset Media\Media Lycos\Sidesearch ClearSearch CLRSCHP038.EXE In the My Documents folder, locate and delete the following folder: data In the Windows Temp directory, locate and delete the following folders: ckz4b783 AutoUpdate0 ClrSch Resetting Internet Explorer Homepage and Search Page This procedure restores the Internet Explorer homepage and search page to the default settings. Close all Internet Explorer windows. Open Control Panel. Click Start>Settings>Control Panel. Double-click the Internet Options icon. In the Internet Properties window, click the Programs tab. Click the “Reset Web Settings…” button. Select “Also reset my home page.” Click Yes. Click OK.

Have to disagree with your statements. I got that same non-virus file and it wiped out almost 2,000 files. All exe's of course. Norton found 935 files and quarrentined them. House call found another 835 that Norton missed. Now I use PC CILLIN 2004 Internet Security. Naturally I had to format after that little escapade.

terri you disagree with what !!! pc-cillian is made by trend and this info came from the trend site ! Look before you leap and maybe you won't look ... I never reccomended to delete any exe's I don't know what your situation was but you obviously screwed up the instruction's and no it is not a virus just more adware that installs a trojan that will help with the update process if Norton and and the housecall together found 1770 files that where created by a trojan I would be suspect that something was wrong with my system since the entire window's folder hold's about 515 file's/folders and most viruses are less then 15 files

The only thing I disagree with is the statement made by Trend saying that it was NOT A VIRUS and NOT DESTRUCTIVE. Between Norton and Trend deleting almost 2,000 of my files, that definately became a destructive matter. I don't know how your pc would run if someone deleted 2,000 files. Mostly exe's, but mine wouldn't run at all and I ended up reformatting. Then a week later I got it back but PC CILLIN Internet Security caught it and shut down my network and internet before it could do the damage again. I only had to go through both pc's and find the culprit files that time. So I didn't mean anything by all your statements and research. Just saying what happened to me was all.

Who knows maybe the adw ruledor.c opened up my pc to other culprits. I can't say. All I know is I couldn't run anything. Couldn't even run spybot or pest patrol because the exe files for both these programs along with my Norton exe were gone. Most all of my exe files on my pc were either quarrentined, then deleted or just plain deleted. Not blaming anyone, just was saying. And what ever happened to my pc, well it really screwed it up because after this all happened and I formatted it, I no longer had an 80G hard drive. The bios only sees 33G of it. Had to use MaxBlast3 to override it using the ontrack software. I hope to be able to fix it soon. That will mean another format I'm sure but if that's what it takes I'll just have to do it.