TechSpot

removing filost

By sazsaysisit
Feb 28, 2006
Topic Status:
Not open for further replies.
  1. hey! i have a problem with my computer with the popups with filost. the popups have now gone but the internet does not work properly. i cant click on the internet window or highlight or left click anywhere on the screen! please help! here is my HJT log.


    Logfile of HijackThis v1.99.1
    Scan saved at 07:41:07, on 28/02/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\PROGRA~1\McAfee\PERSON~1\MPFSERVICE.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    D:\PROGRA~1\McAfee\PERSON~1\MpfAgent.exe
    C:\WINNT\twain_32\VIVID\VIVID.EXE
    D:\PROGRA~1\McAfee\PERSON~1\MpfTray.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    D:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\MightyFax\MFNTCTL.EXE
    C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
    C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yyiqhxiblqelbwawvtlgg.co...yzme/6vwXHbs959k7jD46qM9cWb7mtjWQFZ/WMmk.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=C:\WINNT\TWAIN_32\Vivid\VIVID.EXE
    F3 - REG:win.ini: run=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [HBtERTM5S] dmcilshr.exe
    O4 - HKCU\..\Run: [MICROSOFT UNPACK SYSTEM] winrarx.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax\MFNTCTL.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sify.com/eot/tdserver.cab
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14e96164a3298a516005/netzip/RdxIE601.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINNT\system32\hwclock.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee\PERSON~1\MPFSERVICE.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Thanks in advance
  2. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    turn off system restore
    boot in safe mode
    run ewido with updates
    once clean boot in normal mode and turn system restore back on.
  3. sazsaysisit

    sazsaysisit TS Rookie Topic Starter

    downloaded and ran ewido with updates but the internet still doesn't work.
    im using Windows 2000 so is there a system restore option on there? HELP!!!!!
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Windows 2000 doesn`t have system restore.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html


    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by pressing ctrl/alt/delete keys together.

    Click on the processes tab and end process for(if there).

    winrarx.exe
    dmcilshr.exe

    Close task manager.

    Run HJT with no other programmes running. have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - Default URLSearchHook is missing

    F3 - REG:win.ini: run=

    O4 - HKCU\..\Run: [HBtERTM5S] dmcilshr.exe
    O4 - HKCU\..\Run: [MICROSOFT UNPACK SYSTEM] winrarx.exe

    Fix all 016 DPF entries.

    O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINNT\system32\hwclock.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it.

    Locate the above 023 service and double click on it. Select stop if it`s running. Set the startup type to disabled. Click apply/ok.

    Click start/search and Locate and delete, the following bold files(if there).

    winrarx.exe
    dmcilshr.exe


    Reboot your computer into normal mode.

    Regards Howard :wave: :wave:
  5. sazsaysisit

    sazsaysisit TS Rookie Topic Starter

    heyy! i tried everything that u said but it still isn'y working. wildtangent is still installed and now have downloaded many malaware programs but still it doesn't work. HELPPPPP!

    thanks in advance! $az
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Please post a fresh HJT log as an attachment. See HERE for instructions.

    Regards Howard :)
  7. sazsaysisit

    sazsaysisit TS Rookie Topic Starter

    hiiii! heres my hijack this file

    please urgent help needed! nothings working on my pc

    also attachced are a list of infected things found on my pc (export.txt)

    Thank in advance

    Sazsaysisit
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html


    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    C:\Program Files\SpywareDetector

    Close control panel.

    Open your task manager, by pressing ctrl/alt/delete keys together.

    Click on the processes tab and end process for(if there).

    SDService.exe
    SDSystemTray.exe
    LiveUpdateSD.exe
    RegModule.exe

    Close task manager.

    Click start/run and type services.msc into the run box and press the eneter key.

    When the window appears, maximise it. Locate this service(if there).

    SDAutoLiveupdate Double click on it and select stop if it`s running. Set the startup type to disabled. Click apply ok.

    Click start/run and type regsvr32 /u C:\Program Files\SpywareDetector\SDNotify.dll and press the enter key.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yyiqhxiblqelbwawvtlgg.com/2ErHKwUsjA5VaHREIVQl5aT0yzme/6vwXHbs959k7jD 46qM9cWb7mtjWQFZ/WMmk.html

    O4 - HKLM\..\Run: [EPSON Product Registration Reminder] C:\WINNT\Temp\RegModule.exe

    O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe

    O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9DC14B3-BB84-4200-84C7-50A9E38A486A}: NameServer = 62.6.40.178 194.72.9.38 Only fix this if it doesn`t belong to your ISP.

    O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold file(if there).

    C:\Program Files\SpywareDetector

    C:\WINNT\Temp\RegModule.exe

    Reboot into normal mode.

    Regards Howard :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.