HELP!!!

Hey guys, I’m new. I hope you can help me.

I’ve done a scan for the past three days, and Avast 4.1 HE found this:

Win32Ruledor[tri] or [trj] (i wrote it down fast, so I’m not sure. But did a search on both)

in file:

c:\WINDOWS\SYSTEM\trncee.dll[UPX]

I deleted all, but it keeps coming back. I did a Google search, no info. I did a virus definition search, no info. I even did a search on trncee.dll, but still no info. Does anyone know what this is, and how I can get rid of it, if in fact it is a real virus?

Thanks!

Scan with Housecall or some other online scanner and post results

I scanned with two online scanners and no virus was found. I’m at a loss. I have AdAware and Spybot, no malware was found.

Forgot to add that I switched to Firefox browser, from IE6. Since then, I get the virus message. When I did the online scans, I had to go back into IE6 for them to work. They don’t work with Firefox.

Hi,

some info here:
Trend

Is the file always found under the same path/name ?

you need to generally secure your system, additionally, spywareblaster from javacool might help…

:wink:

I have spywareblaster as well.

Here’s the AV log:

07/03/2004 9:05:17 PM é |Ì| 4294568439 Sign of “Win32:Ruledor [Trj]” has been found in “c:\WINDOWS\SYSTEM\trncee.dll[UPX]” file.
07/03/2004 9:10:59 PM é |Ì| 4294568439 Sign of “Win32:Ruledor [Trj]” has been found in “c:\WINDOWS\SYSTEM\IAicemm.dll[UPX]” file.
07/03/2004 10:01:27 PM é |Ì| 4294568439 Sign of “Win32:Ruledor [Trj]” has been found in “C:\WINDOWS\SYSTEM\trncee.dll[UPX]” file.
07/03/2004 10:01:28 PM é |Ì| 4294568439 Sign of “Win32:Ruledor [Trj]” has been found in “C:\WINDOWS\SYSTEM\IAicemm.dll[UPX]” file.
07/05/2004 10:07:25 PM é |Ì| 4294490827 Sign of “Win32:Ruledor [Trj]” has been found in “c:\WINDOWS\SYSTEM\trncee.dll[UPX]” file.
07/05/2004 10:09:12 PM é |Ì| 4294490827 Sign of “Win32:Ruledor [Trj]” has been found in “c:\WINDOWS\SYSTEM\IAicemm.dll[UPX]” file.
07/05/2004 11:04:33 PM é |Ì| 4294490827 Sign of “Win32:Ruledor [Trj]” has been found in “C:\WINDOWS\SYSTEM\trncee.dll[UPX]” file.
07/05/2004 11:04:34 PM é |Ì| 4294490827 Sign of “Win32:Ruledor [Trj]” has been found in “C:\WINDOWS\SYSTEM\IAicemm.dll[UPX]” file.
07/06/2004 8:23:39 PM é |Ì| 4294591043 Sign of “Win32:Ruledor [Trj]” has been found in “c:\WINDOWS\SYSTEM\trncee.dll[UPX]” file.
07/06/2004 9:14:07 PM é |Ì| 4294591043 Sign of “Win32:Ruledor [Trj]” has been found in “C:\WINDOWS\SYSTEM\trncee.dll[UPX]” file.

I’m stumped :-[

Have you worked through all the intructions at TrendMicro (link above) ?

please also post a hijackthis-Log: http://hjt.klaffke.de/en

Here’s the HJT log.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPAMIHILATOR\SPAMIHILATOR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\UNZIPPED\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abstracts.net/gossip.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL__SpybotSDDisabled (file missing)
O3 - Toolbar: (no name) - {9E1128F1-53FA-11D5-8490-0048548030CA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU..\Run: [Spamihilator] “C:\Program Files\Spamihilator\spamihilator.exe”
O4 - Startup: systemtray.lnk = C:\WINDOWS\SYSTEM\SysTray.Exe
O4 - Startup: LoadPowerProfile.lnk = ?
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031028/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab