HJT Log Please Help!!
- Thread starter tovar78
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.
Regards Howard :wave: :wave:
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.
Regards Howard :wave: :wave:
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Please help followed trojan,pakes removal instructions.HJT log
Please help.I followed the instructions on Trojan Pakes and other nasties removal instructions.I have attatched my HJT log.My problem is: My computer won't start in normal mode,windows starts up then it freezes.I can only start windows in safe mode.Please help any response is appreciated.
Please help.I followed the instructions on Trojan Pakes and other nasties removal instructions.I have attatched my HJT log.My problem is: My computer won't start in normal mode,windows starts up then it freezes.I can only start windows in safe mode.Please help any response is appreciated.
howard_hopkinso
Posts: 21,238 +17
I have merged your new thread into this one. Continue posting in this thread.
Follow all these instructions exactly.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
DeluxeCommunications
Network Monitor
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Network Monitor
Microsoft authenticate service
Command Service
_mzu_stonedrv2
stonedrv
Windows APCI Verifier
Windows Update Manager
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
vsbij.exe
ntos.exe
goiltck.exe
ddjfihw.exe
updmgr.exe
dhcpserv.exe
lssas.exe<Not to be confused with>lsass.exe Note the spelling.
stonedrv.exe
_mzu_stonedrv2.exe
rnnypbw.exe
v1201.exe
Dxc.exe
bxlwxc.exe
dhcpserv.exe
ibm00031.exe
command.exe
msasvc.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vsbij.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,goiltck.e xe,ddjfihw.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Windows APCI Verifier] dhcpserv.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\System32\rnnypbw.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\System32\bxlwxc.exe reg_run
O4 - HKLM\..\RunServices: [Windows APCI Verifier] dhcpserv.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\System32\bxlwxc.exe reg_run
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B0CA8A-C44A-46D7-98B1-AD724DB8848E}: NameServer = 207.69.188.185,207.69.188.186<Only fix this, if it doesn`t belong to your ISP.
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\System32\lt5vsrs.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\cNbview.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGFubnk\command.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\update Delete the entire folder.
C:\Program Files\Network Monitor Delete the entire folder.
C:\WINDOWS\System32\msasvc.exe
C:\WINDOWS\ZGFubnk Delete the entire folder.
C:\WINDOWS\System32\bxlwxc.exe reg_run
C:\Program Files\DeluxeCommunications Delete the entire folder.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe
C:\windows\system32\_mzu_stonedrv2.exe
C:\windows\system32\stonedrv.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\System32\rnnypbw.exe
C:\WINDOWS\System32\lssas.exe Make sure you don`t delete the lsass.exe file check the spelling.
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\goiltck.exe
C:\WINDOWS\System32\ddjfihw.exe
C:\WINDOWS\System32\vsbij.exe
dhcpserv.exe<Search your system for this file and delete all instances of it.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
This is the filepath you need to enter into killbox.
C:\WINDOWS\System32\lt5vsrs.dll
C:\WINDOWS\system32\cNbview.dll
C:\WINDOWS\system32\dxclib303562752.dll
Once your system has rebooted, turn system restore back on and rehide your protected OS files.
Go HERE and download and install one of the suggested firewall programmes.
Rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log as well as an AVG Antispyware log
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Follow all these instructions exactly.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
DeluxeCommunications
Network Monitor
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Network Monitor
Microsoft authenticate service
Command Service
_mzu_stonedrv2
stonedrv
Windows APCI Verifier
Windows Update Manager
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
vsbij.exe
ntos.exe
goiltck.exe
ddjfihw.exe
updmgr.exe
dhcpserv.exe
lssas.exe<Not to be confused with>lsass.exe Note the spelling.
stonedrv.exe
_mzu_stonedrv2.exe
rnnypbw.exe
v1201.exe
Dxc.exe
bxlwxc.exe
dhcpserv.exe
ibm00031.exe
command.exe
msasvc.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vsbij.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,goiltck.e xe,ddjfihw.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Windows APCI Verifier] dhcpserv.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\System32\rnnypbw.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\System32\bxlwxc.exe reg_run
O4 - HKLM\..\RunServices: [Windows APCI Verifier] dhcpserv.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\System32\bxlwxc.exe reg_run
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B0CA8A-C44A-46D7-98B1-AD724DB8848E}: NameServer = 207.69.188.185,207.69.188.186<Only fix this, if it doesn`t belong to your ISP.
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\System32\lt5vsrs.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\cNbview.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGFubnk\command.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\update Delete the entire folder.
C:\Program Files\Network Monitor Delete the entire folder.
C:\WINDOWS\System32\msasvc.exe
C:\WINDOWS\ZGFubnk Delete the entire folder.
C:\WINDOWS\System32\bxlwxc.exe reg_run
C:\Program Files\DeluxeCommunications Delete the entire folder.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe
C:\windows\system32\_mzu_stonedrv2.exe
C:\windows\system32\stonedrv.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\System32\rnnypbw.exe
C:\WINDOWS\System32\lssas.exe Make sure you don`t delete the lsass.exe file check the spelling.
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\goiltck.exe
C:\WINDOWS\System32\ddjfihw.exe
C:\WINDOWS\System32\vsbij.exe
dhcpserv.exe<Search your system for this file and delete all instances of it.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
This is the filepath you need to enter into killbox.
C:\WINDOWS\System32\lt5vsrs.dll
C:\WINDOWS\system32\cNbview.dll
C:\WINDOWS\system32\dxclib303562752.dll
Once your system has rebooted, turn system restore back on and rehide your protected OS files.
Go HERE and download and install one of the suggested firewall programmes.
Rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log as well as an AVG Antispyware log
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hello,I followed your instructions exactly as you posted.I have attatched a fresh HJT log.I still can NOT start my computer in normal mode,Also,I can not turn system restore on because I am running windows in safe mode.I can only run windows in safe mode.1 more thing I can NOT post an AVG antispyware log because when I scan my computer using AVG antispyware my computer restarts when I run the scan.Please help!
howard_hopkinso
Posts: 21,238 +17
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Microsoft authenticate service
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
msasvc.exe
wnu_166.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [wnu] C:\WINDOWS\wnu_166.exe silent
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\wnu_166.exe
C:\WINDOWS\System32\msasvc.exe
Reboot into normal mode(if you can), turn system restore back on(if you can) and rehide your protected OS files.
Post a fresh HJT log and let me know if you`re still having problems.
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Microsoft authenticate service
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
msasvc.exe
wnu_166.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [wnu] C:\WINDOWS\wnu_166.exe silent
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\wnu_166.exe
C:\WINDOWS\System32\msasvc.exe
Reboot into normal mode(if you can), turn system restore back on(if you can) and rehide your protected OS files.
Post a fresh HJT log and let me know if you`re still having problems.
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hello,I followed your instructions.I deleted all the files you said to delete.I ran HJT and deleted what you said to delete.I ran a fresh HTJ log.My problem now is: When I restarted the computer I get a blue screen that reads STOP:c000021a {Fatal system Error}
The windows Logon Process system process terminated unexpectedly with a status of 0x00000080 (0x00000000 0x00000000).
ths system has been shut down.
I try to boot in to safe mode,but I still get the same blue screen everytime I try to run windows in safe mode.
Please help,i can not acces my fresh HTJ log to post it.
The windows Logon Process system process terminated unexpectedly with a status of 0x00000080 (0x00000000 0x00000000).
ths system has been shut down.
I try to boot in to safe mode,but I still get the same blue screen everytime I try to run windows in safe mode.
Please help,i can not acces my fresh HTJ log to post it.
howard_hopkinso
Posts: 21,238 +17
The thing is, your system was so badly infected, possibly your OS files have been damaged.
I suggest you try running a Windows repair as per this thread HERE.
Let me know the outcome please.
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I suggest you try running a Windows repair as per this thread HERE.
Let me know the outcome please.
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hello,I followed the instructions to repair windows,My problem is : when I select to setup windows XP now press enter,I get the following message:
Set up did not find any hard disk drives installed in your computer.
Make sure any hard disk drives are powered on and properly connectedto your computer,and that any disk-related hardware configuration is correct.
Setup cannot continue.To quit Setup, press F3
Also,Now When I restart my computer I am prompted to enter user name and password to log on to windows,But I do not have know my user name and password.I never set up any user name or password.Please help..
Thank you for your time,
Eddie
Set up did not find any hard disk drives installed in your computer.
Make sure any hard disk drives are powered on and properly connectedto your computer,and that any disk-related hardware configuration is correct.
Setup cannot continue.To quit Setup, press F3
Also,Now When I restart my computer I am prompted to enter user name and password to log on to windows,But I do not have know my user name and password.I never set up any user name or password.Please help..
Thank you for your time,
Eddie
howard_hopkinso
Posts: 21,238 +17
Is your hard drive detected in bios?
What are your system specs?
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
What are your system specs?
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Latest posts
-
8BitDo updates gamepads with drift-proof hall-effect analog sticks- GodisanAtheist replied
