Here's a strange one...

I've noticed here today, that upon rebooting my system, it shows in the taskmanager, two instances of Explorer running. Checking Msconfig shows something called "dlder" loading C:\explorer\Explorer.exe This is not new, I'd noted this beforehand, and not really thought much of it, since explorer is one of the tasks that needs to be running. I suppose what I am asking here is actually twofold. Where else does one look for things being started, and how in blazes does one remove the items from the "startup" section of Msconfig? I have roughly a half dozen things that have been added by various apps that I have unchecked, but would like to know how to remove them as opposed to unchecking them.

Many thanks in advance, and once more for all the invaluable assistance in the past,

Mourngrym

"Without the player, there is no game."

You have a trojan. W32.DlDer.Trojan
<a target="_blank" href=http://www.symantec.com/avcenter/venc/data/w32.dlder.trojan.html>http://www.symantec.com/avcenter/venc/data/w32.dlder.trojan.html</a>

This creates another explorer.exe in C:\windows\Explorer
The real Explorer.exe is in
C:\windows

Yes, that was the problem, and although the link listed is no longer active, I was able to find the information needed to remove the beastie. What amazes me is that my scanner didn't catch it in the first place, not even after downloading the latest dat files for it yesterday, and running it on all drives. NAV caught it right off. Just goes to show that one can't blindly rely on some software to do the job adequately at times. I have sent an emal to the software's authors, letting them know that this particular bit of business is NOT detected by their product. (I've been relying on AVG, in case anyone else is using it...)

I also found that several of the startup items were contained in HKLM\Software\Microsoft\Windows\CurrentVersion\Run or in \Run- and have been able to remove them as well.

Many thanks for the pointers and advice!

Mourngrym

"Without the player, there is no game."

I prefer Mcafee...

Mcafee has detected a few viruses at the front door and shoot them in the back while they ran back to norton!!

Just think norton was prob. running on the server that dished the virus to YA!

I know I'll start something by saying norton in the sentence... BUT I am free from all KNOW viruses

I don't know what is going on.... They only have signature file posted for 4179
This page says you need 4180 to detect the virus you got

Click HERE (http://vil.mcafee.com/dispVirus.asp?virus_k=99289&)

and it says it is not a real virus
This program is not a virus. However, the application does resemble trojan like behavior. It is/was being distributed by several popular freeware programs. Such as certain versions of BonziBUDDY, Net2Phone.com, KaZaA, Grokster, and LimeWire. In some cases the user was not made aware that the program was being installed, and/or what the program was designed to do.
The program is related to the ClickTillUWin game. It is designed to relay the computer IP Address, URLs that the user has visited, and web browser version to http://www.2001-007.com, for the purpose of displaying advertisements. It creates the following files and registry entries:



Thanks
Mac!!!

This Is just my opinion
So if it stinks wait for another one
Cause I'm no expert

Mosaic1

did they pull your page I can't find it I even did a search and the search results gave the page but it was gone???????

I had aready went there a few times???

Also

Mourngrym

Do you have the adware detector just as important as a anti-virus program
Lavasoft Click here (http://lavasoftusa.net)

make sure you download the updater to...

Thanks
Mac!!!

This Is just my opinion
So if it stinks wait for another one
Cause I'm no expert

It must have been retracted.

Try <a target="_blank" href=http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_DLDER.A>this one</a>

Sorry about that link. It was active when I posted it.
All AV software doesn't find everything. It's a good idea to run an online scan occasionally too.

LoL
Mosaic1

I know it worked I had been there aready!!

Thanks
Mac!!!

This Is just my opinion
So if it stinks wait for another one
Cause I'm no expert

Yes, I do have Adware installed, with the latest update that I have been able to find, seems here at least the sites that provide them stay offline for the most part. Mine is 11-24-01, and it didn't catch it either. FWIW, I am no great fan of Norton, that just happened to be the one that I used to catch it with.

Mourngrym

"Without the player, there is no game."

I had loaded BearShare, and LimeWire both not too recently. I opted to disallow the 3rd party software with both, LimeWire, at least the 1.9 beta, wouldn't run, period, without it, so that was removed. BearShare didn't notify me of anything other than the ones listed, those were likewise disallowed, but about then is when the BonziBuddy garbage, and the ClickTilluWin stuff appeared, so I suspect that is the culprit, and it's installation coincides with the dates noticed on the files that were the problem.

I realize it may not be a virus or true Trojan, however, I personally find it most disconcerting to have things installed "behind my back" in the first place, much less those that cause as much grief as this one has. BSoD's out the wazoo, reboots, and a most problematic shutting down of my SQL server. These are NOT desirable traits, IMHO. I understand the developer's need to make a living, but shoving things down one's throat is NOT a good way to make friends and influence people.

I've notified the authors of my personal scanner, AVG, of the oversight in their latest dat file, which was released 02 JAN 02, and doesn't catch the problem. This may be due to the fact they don't count it as a virus or Trojan, however, the other vendors do, and in any case, it has proven, at least personally, to be not only detrimental to the system's well being, but IMO is a blatant invasion of privacy as well. There should be some recourse that could be taken against those who provide such as a part of their packages, much less to do so in such a fashion. In words of one syllable, IT SUCKS!

Just my opinon...

Mourngrym

"Without the player, there is no game."

LOL
I agree on they should show you what is getting installed... But they don't so you have to live with it.. or get smarter on what to look for
I check my run keys all the time

If you go start run type msinfo32 hit ok

look in the software enviroment stuff it will give you a good indication of allot of stuff that is running and what is starting up

get used to the list and monitor it
also if you have zone alarm look in the programs tab....

also you can monitor the defrag list to
C:\WINDOWS\APPLOG\Optlog.txt

Your are one step ahead of them by coming to this site... I have learned allot since I have been here!!

Thanks to the anti-virus software we can all sleep a little better...
I just found out that mcafee has daily beta updates for signature also from what I have read they all just added this trojan to the list of things to look for...

mcafee site says you need 4180 to detect it they only have 4179 posted

I think I'm going to start using the daily beta updates.
Someone please correct me if my story ain't the same as yours on this one!!!
The way I see it there is one company that keeps the virus signatures. and all the antivirus software uses those signatures.. It is just which software is better.....



Thanks
Mac!!!

This Is just my opinion
So if it stinks wait for another one
Cause I'm no expert