Can someone read my HijackThis log file?

Dev Shed Forums Sponsor:

Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now!

April 14th, 2004, 12:22 PM

haubrich

Registered User

Join Date: Apr 2004

Posts: 3

Time spent in forums: < 1 sec
Reputation Power: 0

Can someone read my HijackThis log file?

I already had this posted...but in the wrong spot!
-----------------------------------------------
Hi...When looking on the internet yesterday for viruses and Trojan horses that can be contracted from the file sharing program Grokster, I found information on a virus that may be infecting my computer titled Dlder.exe. I found that and deleted it, but still my computer will not cooperate with me and I think there is something I have missed. Can you read this log file and tell me if there is anything else that needs to be deleted?

Logfile of HijackThis v1.97.7
Scan saved at 10:57:53, on 14/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERACT\GAMING DEVICES\JOYACT.EXE
C:\PROGRAM FILES\INTERNET CALL WAITING PC\CALLWAITING.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\DESKTOP\VERN\HIJACKTHIS_1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = URL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = URL
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\PROGRAM FILES\PALM\FIRECONVERTERBROWSERHELPEROBJECT.DLL
O2 - BHO: (no name) - {1A98BCA2-0BD1-47DE-9710-C7665F7F1FCB} - C:\WINDOWS\SYSTEM\IEBRW.DLL
O2 - BHO: (no name) - {A116A5C1-AD77-446C-992A-F56200B112DB} - C:\WINDOWS\SYSTEM\HMEPGE.DLL
O2 - BHO: (no name) - {B405EE45-1AA2-410D-A6CF-1A74371DCD62} - C:\WINDOWS\SYSTEM\HOTLINK.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\SUPPORT SOFTWARE\SS2.DLL
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SCBAR\V2\SCBAR.DLL
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKLM\..\RunOnce: [test]
O4 - HKCU\..\RunOnce: [test]
O4 - Startup: InterAct Profile Activator.lnk = C:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Startup: Internet Call Waiting PC.lnk = C:\Program Files\Internet Call Waiting PC\CallWaiting.exe
O4 - User Startup: InterAct Profile Activator.lnk = C:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - User Startup: Internet Call Waiting PC.lnk = C:\Program Files\Internet Call Waiting PC\CallWaiting.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Add to FireViewer Conduit (HKLM)
O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Descargas (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - URL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} - URL
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - URL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - URL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL

Also, when I press Ctrl+Alt+Delete, the task manager is always displaying a program called Explorer that can't be closed even when I'm not using the internet. Thanks for your help.
-Sydney

April 14th, 2004, 02:19 PM

medialint

spirit duplicator

Join Date: Apr 2004

Location: \\Firecrate\

Posts: 12,321

Folding Points: 232775 Folding Title: Super Ultimate Folder - Level 1

Time spent in forums: 4 Months 3 Weeks 10 h 27 m 31 sec
Reputation Power: 2575

explorer.exe is part of windows, it should always be running. Among other things, explorer is your file browsing system, task bar navigation, etc.

iexplorer.exe is internet explorer

now you know.

April 14th, 2004, 05:13 PM

karsh44

Just another guy

Join Date: Jun 2003

Location: Wisconsin

Posts: 2,915

Time spent in forums: 1 Week 6 Days 13 h 6 m 22 sec
Reputation Power: 76

get and run spybot search and destroy, then if you don't have your own antivirus software, to to trend micro and use their housecall online scan. Those should take care of things.

__________________
--Dave--

U2kgSG9jIExlZ2VyZSBTY2lzLCBOaW1pdW0gRXJ1ZGl0aW9uaXMgSGFiZXM=

April 15th, 2004, 10:23 AM

DookieDuke

Registered User

Join Date: Mar 2004

Posts: 18

Time spent in forums: < 1 sec
Reputation Power: 0

http://www.answersthatwork.com/

and look at task list... they have an extensive definitive list of processes

April 16th, 2004, 06:38 AM

edwinbrains

Retired Moderator

Dev Shed God 4th Plane (6500 - 6999 posts)

Join Date: Jan 2004

Location: London, UK

Posts: 6,670

Folding Points: 85411 Folding Title: Advanced Folder

Time spent in forums: 1 Week 6 Days 23 h 36 m 40 sec
Reputation Power: 92

moved...

__________________
- Edwin -

The General Rules Thread | The General FAQ Thread

April 16th, 2004, 03:12 PM

Tom Myboy

Contributing User

Join Date: Aug 2003

Posts: 2,491

Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13

Hi haubrich,

Dlder.exe is advertising spyware. Considered to be one of the worst - even creating a fake "explorer.exe" file. Can be installed via versions of "Grokster", "Lime Wire" and "KaZaA" amongst other file-sharing utilities. Reported in the past as a virus.

Did you do any of the suggestions the other people posted? You have a lot going on in your log. This is where I would start. Dump the filesharing program, ther are safer alternatives and begin with these:

Windows Update has just released new critical updates. Download each one, rebooting when necessary.

Please download and UPDATE Adaware (link below). Scan and remove all checked items.

Reboot

Download and UPDATE Spybot Search and Destroy (link below). Scan and remove all items marked in RED.

Reboot

Download and UPDATE Spywareblaster (link below). Enable all protectecion

Post a fresh log to see how you are doing..

Tom

__________________
HijackThis
Ad-aware
Spybot Search & Destroy
SpywareBlaster
SpywareGuard
Housecall Online A/V Scan
Please read the stickys at the top of the forum before posting!

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: