HiJackThis Virus: Win32:Ruledor[Trj]

[sunflower2005]

*cleaner didn't work
* unable to delete,repair,move to chest
*spybot,adawareSE,avast4.5 didn't remove my virus.

HijackThis v1.99.1
Windows XP SP1 (WinNT 5.01.2600)
Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\Zymjjq.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\windows\system32\msnavc32.exe
C:\WINDOWS\SysCheckBop32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\i81aut32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\hpov2clt.exe
C:\WINDOWS\System32\prutqct.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\winbfgk32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carolyn,lastname\Local Settings\Temporary Internet

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sju.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program

Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} -

C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program

Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

(file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: LinkBHO.cIExplorer - {CC924BD1-7382-4619-A706-070CB00F2325} - C:\Documents and

Settings\All Users\Application Data\linkbho\LinkBHO.dll
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} -

C:\WINDOWS\System32\ic2_win.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Oagnyi.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Zymjjq.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [xljjnc] C:\WINDOWS\System32\xljjnc.exe
O4 - HKLM\..\Run: [rxcnyc] C:\WINDOWS\System32\rxcnyc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [C:\WINDOWS\bobnqyhxp.exe] C:\WINDOWS\bobnqyhxp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [2s2X37T] i81aut32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [JBt7RXf6P] hpov2clt.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -

http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -

http://download.websearch.com/Dnl/T_50043/QDow_AS2.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) -

http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -

http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4328/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -

http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FB37AE65-64F4-4D27-AB4F-AFF3DA2441A0} (AccessMedia.TinyInstaller) -

http://download.accessmedia.tv/install/US/amtinstaller.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -

http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast!<a onMouseOver="window.status='' ; return true;"  onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."><a onMouseOver="window.status='' ; return true;"  onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."><a onMouseOver="window.status='' ; return true;"  onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."><a onMouseOver="window.status='' ; return true;"  onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> Antivirus </a></a></a></a>- Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates

Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[DavidR]

Lets start with the basics first.

    - What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
    - What was the virus name, what was the filename, where was it found
      example (C:\windows\system32\infected-filename.xxx)?

You can however, also get an on-line logfile analysis at - http://hijackthis.de/index.php or you can use Eddy's HJT log file analysis tool - Eddy's Website click the "HiJackThis Section" and also the "Malware removal instructions and applications" section, and follow the directions there and get back to us if you need more help....

[DavidR]

From your other thread.

"The System can't find file C:documents & settings\CarolynM\local settings\temporaryinternet Files\Content.IE5\WHMZ4DIZ\43[1].binfile"

Clear your browser cache 'temporary internet files'

Have you used the on-line analysis and or Eddy's HJT analysis tool? Because the two log files  look identical (including the one in your second thread that you started).

[DavidR]

Visit this link for an analysis of your log - http://hijackthis.de/logfiles/3b0dc48fa28b1bbcb645e4c49a8cf2db.html you have 11 reported nasty.

Eddy's HJT tool will probably pick up others.

[sunflower2005]

Hi David:
I need your help (please). I have a Dell Laptop Inspiron 600m.
Windows XP  using Internet explorer on a cable modem.
I am a novice & don't know much about computers.

I have adawareSe, spybot, & Avast anti-virus (all updated) but are not able to eliminate the Trojan Viruses. I really don't know what to do. Dell referred me to you b/c they don't analyze HiJackThis, and Avast doesn't, & I can't.

Rather than my jumping to "another" forum, where can I take my computer to get it serviced directly.

Due to "time" I am unable to sit and run back n forth to various forums trying to decipher virus codes which I don't understand.

Again, my disc cleanup utility is "stuck" the green bar on the disc cleanup doesn't move. I get 2 green bars which should run "from left to right" indicating that it's cleaning....I rebooted computer & tried to "re-run" it again, but it's not doing anything.

Not sure what to do next or where to go......

Please advise at this point .....tks for your time....Gratefully,  MJ

[Eddy]

Click on the link in my signature and follow the instruction in the malware removal section.

For help with HijackThis (or its log) click my signature and visit the HJT section.

[DavidR]

Rather than my jumping to "another" forum, where can I take my computer to get it serviced directly.

That link give you details directly, you are not running to and fro, and from that analysis report you can start to fix the problems. Not to mention the fact that The link I gave you to Eddy's website (and Eddy's post to visit his site), gives no end of information and tools to help you with the task.

Due to "time" I am unable to sit and run back n forth to various forums trying to decipher virus codes which I don't understand.

Time is also a factor for us (normal avast users), we are happy to help, we can't do it all, you to have to be prepared devote some time to learn, it is after all your computer.