HJT Log Please Help!!

By tovar78
Nov 1, 2006
Topic Status:
Not open for further replies.
  1. Hello,Please check my HJT log I posted.I have a virus message from my firewall.Please help!
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. tovar78

    tovar78 Newcomer, in training Topic Starter

    Please help followed trojan,pakes removal instructions.HJT log

    Please help.I followed the instructions on Trojan Pakes and other nasties removal instructions.I have attatched my HJT log.My problem is: My computer won't start in normal mode,windows starts up then it freezes.I can only start windows in safe mode.Please help any response is appreciated.

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I have merged your new thread into this one. Continue posting in this thread.

    Follow all these instructions exactly.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    DeluxeCommunications
    Network Monitor

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Network Monitor
    Microsoft authenticate service

    Command Service
    _mzu_stonedrv2

    stonedrv
    Windows APCI Verifier

    Windows Update Manager

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    vsbij.exe
    ntos.exe

    goiltck.exe
    ddjfihw.exe

    updmgr.exe
    dhcpserv.exe

    lssas.exe<Not to be confused with>lsass.exe Note the spelling.
    stonedrv.exe

    _mzu_stonedrv2.exe
    rnnypbw.exe

    v1201.exe
    Dxc.exe

    bxlwxc.exe
    dhcpserv.exe

    ibm00031.exe
    command.exe

    msasvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vsbij.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,goiltck.e xe,ddjfihw.exe

    O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe

    O4 - HKLM\..\Run: [Windows APCI Verifier] dhcpserv.exe

    O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe

    O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

    O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe

    O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\System32\rnnypbw.exe"

    O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe

    O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

    O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\System32\bxlwxc.exe reg_run

    O4 - HKLM\..\RunServices: [Windows APCI Verifier] dhcpserv.exe

    O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

    O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe

    O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

    O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe

    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe"

    O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

    O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\System32\bxlwxc.exe reg_run

    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{78B0CA8A-C44A-46D7-98B1-AD724DB8848E}: NameServer = 207.69.188.185,207.69.188.186<Only fix this, if it doesn`t belong to your ISP.

    O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\System32\lt5vsrs.dll

    O20 - AppInit_DLLs: dxclib303562752.dll

    O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\cNbview.dll

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGFubnk\command.exe

    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\update Delete the entire folder.
    C:\Program Files\Network Monitor Delete the entire folder.
    C:\WINDOWS\System32\msasvc.exe

    C:\WINDOWS\ZGFubnk Delete the entire folder.
    C:\WINDOWS\System32\bxlwxc.exe reg_run
    C:\Program Files\DeluxeCommunications Delete the entire folder.

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe
    C:\windows\system32\_mzu_stonedrv2.exe
    C:\windows\system32\stonedrv.exe

    C:\WINDOWS\v1201.exe
    C:\WINDOWS\System32\rnnypbw.exe
    C:\WINDOWS\System32\lssas.exe Make sure you don`t delete the lsass.exe file check the spelling.

    C:\WINDOWS\System32\ntos.exe
    C:\WINDOWS\System32\goiltck.exe
    C:\WINDOWS\System32\ddjfihw.exe

    C:\WINDOWS\System32\vsbij.exe
    dhcpserv.exe<Search your system for this file and delete all instances of it.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\System32\lt5vsrs.dll
    C:\WINDOWS\system32\cNbview.dll
    C:\WINDOWS\system32\dxclib303562752.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Go HERE and download and install one of the suggested firewall programmes.

    Rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log as well as an AVG Antispyware log

    Regards Howard :)

    This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. tovar78

    tovar78 Newcomer, in training Topic Starter

    Hello,I followed your instructions exactly as you posted.I have attatched a fresh HJT log.I still can NOT start my computer in normal mode,Also,I can not turn system restore on because I am running windows in safe mode.I can only run windows in safe mode.1 more thing I can NOT post an AVG antispyware log because when I scan my computer using AVG antispyware my computer restarts when I run the scan.Please help!
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft authenticate service

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msasvc.exe
    wnu_166.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\RunOnce: [wnu] C:\WINDOWS\wnu_166.exe silent

    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\wnu_166.exe
    C:\WINDOWS\System32\msasvc.exe

    Reboot into normal mode(if you can), turn system restore back on(if you can) and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. tovar78

    tovar78 Newcomer, in training Topic Starter

    Hello,I followed your instructions.I deleted all the files you said to delete.I ran HJT and deleted what you said to delete.I ran a fresh HTJ log.My problem now is: When I restarted the computer I get a blue screen that reads STOP:c000021a {Fatal system Error}
    The windows Logon Process system process terminated unexpectedly with a status of 0x00000080 (0x00000000 0x00000000).
    ths system has been shut down.

    I try to boot in to safe mode,but I still get the same blue screen everytime I try to run windows in safe mode.

    Please help,i can not acces my fresh HTJ log to post it.
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    The thing is, your system was so badly infected, possibly your OS files have been damaged.

    I suggest you try running a Windows repair as per this thread HERE.

    Let me know the outcome please.

    Regards Howard :)

    This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. tovar78

    tovar78 Newcomer, in training Topic Starter

    Hello,I followed the instructions to repair windows,My problem is : when I select to setup windows XP now press enter,I get the following message:
    Set up did not find any hard disk drives installed in your computer.

    Make sure any hard disk drives are powered on and properly connectedto your computer,and that any disk-related hardware configuration is correct.

    Setup cannot continue.To quit Setup, press F3

    Also,Now When I restart my computer I am prompted to enter user name and password to log on to windows,But I do not have know my user name and password.I never set up any user name or password.Please help..

    Thank you for your time,

    Eddie
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Is your hard drive detected in bios?

    What are your system specs?

    Regards Howard :)

    This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.