Win32:Ruledor[trj] HELP!

Just discovered I've got the Win32:Ruledor[trj] virus in my pc. When I run my Avast it gets picked up immediately,but the message comes back,cannot be repaired,cannot be moved to chest,etc. file is in use. Tom Myboy,Help. I know it's a Trojan ,my av just picked up another virus ,but was able to quarantine(Move to chest). Tom.I'm in your hands! Thank you!

What location is it saying its finding the file?

Hi Grinler,Looks like 4 were found! Here are the locations from the Avast log! Thank you. teacher4u


7/3/2004 5:52:10 PM JERRY\user1 2344 Sign of "Win32:Ruledor [Trj]" has been found in "C:\WINNT\system32\c39bAs.dll\[UPX]" file.
7/3/2004 6:27:34 PM JERRY\user1 2344 Sign of "JS:ClassLoader-7" has been found in "C:\Documents and Settings\user1\.jpi_cache\jar\1.0\classload.jar-1f5b6b54-7304e7a5.zip\GetAccess.class" file.
7/3/2004 6:27:36 PM JERRY\user1 2344 Sign of "JS:Exploit-Bytverify-11" has been found in "C:\Documents and Settings\user1\.jpi_cache\jar\1.0\classload.jar-1f5b6b54-7304e7a5.zip\InsecureClassLoader.class" file.
7/3/2004 6:52:55 PM JERRY\user1 1416 Sign of "JS:ClassLoader-7" has been found in "C:\Documents and Settings\user1\.jpi_cache\jar\1.0\classload.jar-1f5b6b54-7304e7a5.zip" file.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows
I want you to fix some of those entries. Please do the following:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe


Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\WINNT\system32\c39bAs.dll\
C:\Documents and Settings\user1\.jpi_cache\jar\1.0\classload.jar-1f5b6b54-7304e7a5.zip\GetAccess.class
C:\Documents and Settings\user1\.jpi_cache\jar\1.0\classload.jar-1f5b6b54-7304e7a5.zip\InsecureClassLoader.class
C:\Documents and Settings\user1\.jpi_cache\jar\1.0\classload.jar-1f5b6b54-7304e7a5.zip

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

Hi Grinler, How do I disable system restore in win 2000 professional.It doesn't exist in win 2000 prof,does it?

By the way,Grinler, If I have system snapshot(Spyware Blaster) on my pc, can I just restore to a prior snapshot and eliminate the viruses that way?

Hi Devshed, Here's a copy of my HijackThis log ,scan just run ,showing hidden files. I don't see any of the files mentioned by Grinler above! I do see the line
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime"
In a previous post on devshed I was having trouble with qttask.exe popping up multiple times on startup and Tom Myboy responded. I fixed that problem by uninstalling Quick Time. This is a separate issue from the virus mentioned in this thread!
What should I do now regarding virus removal?
I'm going back to restore the defaults to "show Hidden Files" Help!




Logfile of HijackThis v1.97.7
Scan saved at 12:50:47 PM, on 7/5/2004
Platform: Windows 2000 SP5 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\winnt\System32\pctspk.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\tcpsvcs.exe
C:\winnt\system32\slserv.exe
C:\winnt\System32\snmp.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\winnt\Explorer.EXE
C:\WINNT\system32\mqsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\AIM95\aim.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/channel/START
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user1\Application Data\Mozilla\Profiles\default\pnupqyfd.slt\prefs.js)
O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\mathies.com\PopThis!\PopThis.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Fix these:

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Reboot into safe mode and delete the following:

C:\WINNT\system32\P2P Networking\
C:\Program Files\LimeShop\

Renppt amd [pst a me w;pg