#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2004
    Posts
    3
    Rep Power
    0

    Angry Can someone read my HijackThis log file?


    I already had this posted...but in the wrong spot!
    -----------------------------------------------
    Hi...When looking on the internet yesterday for viruses and Trojan horses that can be contracted from the file sharing program Grokster, I found information on a virus that may be infecting my computer titled Dlder.exe. I found that and deleted it, but still my computer will not cooperate with me and I think there is something I have missed. Can you read this log file and tell me if there is anything else that needs to be deleted?

    Logfile of HijackThis v1.97.7
    Scan saved at 10:57:53, on 14/04/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\INTERACT\GAMING DEVICES\JOYACT.EXE
    C:\PROGRAM FILES\INTERNET CALL WAITING PC\CALLWAITING.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\DESKTOP\VERN\HIJACKTHIS_1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...nsumer&LC=1009
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysask.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/...=sesm&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
    O1 - Hosts: 216.93.168.167 auto.search.msn.com
    O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
    O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\PROGRAM FILES\PALM\FIRECONVERTERBROWSERHELPEROBJECT.DLL
    O2 - BHO: (no name) - {1A98BCA2-0BD1-47DE-9710-C7665F7F1FCB} - C:\WINDOWS\SYSTEM\IEBRW.DLL
    O2 - BHO: (no name) - {A116A5C1-AD77-446C-992A-F56200B112DB} - C:\WINDOWS\SYSTEM\HMEPGE.DLL
    O2 - BHO: (no name) - {B405EE45-1AA2-410D-A6CF-1A74371DCD62} - C:\WINDOWS\SYSTEM\HOTLINK.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
    O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
    O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\SUPPORT SOFTWARE\SS2.DLL
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SCBAR\V2\SCBAR.DLL
    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKLM\..\RunOnce: [test] 
    O4 - HKCU\..\RunOnce: [test] 
    O4 - Startup: InterAct Profile Activator.lnk = C:\Program Files\InterAct\Gaming Devices\JoyAct.exe
    O4 - Startup: Internet Call Waiting PC.lnk = C:\Program Files\Internet Call Waiting PC\CallWaiting.exe
    O4 - User Startup: InterAct Profile Activator.lnk = C:\Program Files\InterAct\Gaming Devices\JoyAct.exe
    O4 - User Startup: Internet Call Waiting PC.lnk = C:\Program Files\Internet Call Waiting PC\CallWaiting.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Add to FireViewer Conduit (HKLM)
    O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: Descargas (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
    O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://images.bonzi.com/freebuddy/wd/bbsetupad1.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/Browser_Plugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ir_Alt_Pub.cab
    O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} - http://installs.hotbar.com/installs/...ams/hotbar.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...894.3328009259
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab


    Also, when I press Ctrl+Alt+Delete, the task manager is always displaying a program called Explorer that can't be closed even when I'm not using the internet. Thanks for your help.
    -Sydney
  2. #2
  3. Type Cast Exception
    Devshed Supreme Being (6500+ posts)

    Join Date
    Apr 2004
    Location
    OAKLAND CA | Adam's Point (Fairyland)
    Posts
    14,954
    Rep Power
    8617
    explorer.exe is part of windows, it should always be running. Among other things, explorer is your file browsing system, task bar navigation, etc.

    iexplorer.exe is internet explorer

    now you know.
  4. #3
  5. Just another guy
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Jun 2003
    Location
    Wisconsin
    Posts
    2,953
    Rep Power
    262
    get and run spybot search and destroy, then if you don't have your own antivirus software, to to trend micro and use their housecall online scan. Those should take care of things.
    --Dave--

    U2kgSG9jIExlZ2VyZSBTY2lzLCBOaW1pdW0gRXJ1ZGl0aW9uaXMgSGFiZXM=

    My hobby: collecting US coins
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2004
    Posts
    18
    Rep Power
    0
    http://www.answersthatwork.com/

    and look at task list... they have an extensive definitive list of processes
  8. #5
  9. Retired Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jan 2004
    Location
    London, UK
    Posts
    6,669
    Rep Power
    147
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2003
    Posts
    2,491
    Rep Power
    19
    Hi haubrich,

    Dlder.exe is advertising spyware. Considered to be one of the worst - even creating a fake "explorer.exe" file. Can be installed via versions of "Grokster", "Lime Wire" and "KaZaA" amongst other file-sharing utilities. Reported in the past as a virus.

    Did you do any of the suggestions the other people posted? You have a lot going on in your log. This is where I would start. Dump the filesharing program, ther are safer alternatives and begin with these:

    Windows Update has just released new critical updates. Download each one, rebooting when necessary.

    Please download and UPDATE Adaware (link below). Scan and remove all checked items.

    Reboot

    Download and UPDATE Spybot Search and Destroy (link below). Scan and remove all items marked in RED.

    Reboot

    Download and UPDATE Spywareblaster (link below). Enable all protectecion

    Post a fresh log to see how you are doing..

    Tom
    HijackThis
    Ad-aware
    Spybot Search & Destroy
    SpywareBlaster
    SpywareGuard
    Housecall Online A/V Scan

    Please read the stickys at the top of the forum before posting!

IMN logo majestic logo threadwatch logo seochat tools logo