removing filost

[sazsaysisit]

hey! i have a problem with my computer with the popups with filost. the popups have now gone but the internet does not work properly. i cant click on the internet window or highlight or left click anywhere on the screen! please help! here is my HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 07:41:07, on 28/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\McAfee\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\PROGRA~1\McAfee\PERSON~1\MpfAgent.exe
C:\WINNT\twain_32\VIVID\VIVID.EXE
D:\PROGRA~1\McAfee\PERSON~1\MpfTray.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MightyFax\MFNTCTL.EXE
C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yyiqhxiblqelbwawvtlgg.co...yzme/6vwXHbs959k7jD46qM9cWb7mtjWQFZ/WMmk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINNT\TWAIN_32\Vivid\VIVID.EXE
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HBtERTM5S] dmcilshr.exe
O4 - HKCU\..\Run: [MICROSOFT UNPACK SYSTEM] winrarx.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax\MFNTCTL.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sify.com/eot/tdserver.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14e96164a3298a516005/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINNT\system32\hwclock.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee\PERSON~1\MPFSERVICE.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks in advance

 

[Tedster]

turn off system restore
boot in safe mode
run ewido with updates
once clean boot in normal mode and turn system restore back on.

 

[sazsaysisit]

downloaded and ran ewido with updates but the internet still doesn't work.
im using Windows 2000 so is there a system restore option on there? HELP!!!!!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Windows 2000 doesn`t have system restore.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html


In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by pressing ctrl/alt/delete keys together.

Click on the processes tab and end process for(if there).

winrarx.exe
dmcilshr.exe

Close task manager.

Run HJT with no other programmes running. have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=

O4 - HKCU\..\Run: [HBtERTM5S] dmcilshr.exe
O4 - HKCU\..\Run: [MICROSOFT UNPACK SYSTEM] winrarx.exe

Fix all 016 DPF entries.

O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINNT\system32\hwclock.exe (file missing)

Click on the fix checked button.

Close HJT.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it.

Locate the above 023 service and double click on it. Select stop if it`s running. Set the startup type to disabled. Click apply/ok.

Click start/search and Locate and delete, the following bold files(if there).

winrarx.exe
dmcilshr.exe


Reboot your computer into normal mode.

Regards Howard :wave: :wave:

 

[sazsaysisit]

heyy! i tried everything that u said but it still isn'y working. wildtangent is still installed and now have downloaded many malaware programs but still it doesn't work. HELPPPPP!

thanks in advance! $az

 

[howard_hopkinso]

Please post a fresh HJT log as an attachment. See HERE for instructions.

Regards Howard

 

[sazsaysisit]

hiiii! heres my hijack this file

please urgent help needed! nothings working on my pc

also attachced are a list of infected things found on my pc (export.txt)

Thank in advance

Sazsaysisit

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html


In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

C:\Program Files\SpywareDetector

Close control panel.

Open your task manager, by pressing ctrl/alt/delete keys together.

Click on the processes tab and end process for(if there).

SDService.exe
SDSystemTray.exe
LiveUpdateSD.exe
RegModule.exe

Close task manager.

Click start/run and type services.msc into the run box and press the eneter key.

When the window appears, maximise it. Locate this service(if there).

SDAutoLiveupdate Double click on it and select stop if it`s running. Set the startup type to disabled. Click apply ok.

Click start/run and type regsvr32 /u C:\Program Files\SpywareDetector\SDNotify.dll and press the enter key.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yyiqhxiblqelbwawvtlgg.com/2ErHKwUsjA5VaHREIVQl5aT0yzme/6vwXHbs959k7jD 46qM9cWb7mtjWQFZ/WMmk.html

O4 - HKLM\..\Run: [EPSON Product Registration Reminder] C:\WINNT\Temp\RegModule.exe

O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe

O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O17 - HKLM\System\CCS\Services\Tcpip\..\{D9DC14B3-BB84-4200-84C7-50A9E38A486A}: NameServer = 62.6.40.178 194.72.9.38 Only fix this if it doesn`t belong to your ISP.

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold file(if there).

C:\Program Files\SpywareDetector

C:\WINNT\Temp\RegModule.exe

Reboot into normal mode.

Regards Howard