I have merged your new thread into this one. Continue posting in this thread.
Follow all these instructions exactly.
Download the Pocket Killbox programme from
HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.>
http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.>
http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.>
http://www.bleepingcomputer.com/forums/tutorial62.html
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
DeluxeCommunications
Network Monitor
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Network Monitor
Microsoft authenticate service
Command Service
_mzu_stonedrv2
stonedrv
Windows APCI Verifier
Windows Update Manager
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
vsbij.exe
ntos.exe
goiltck.exe
ddjfihw.exe
updmgr.exe
dhcpserv.exe
lssas.exe
<Not to be confused with>lsass.exe Note the spelling.
stonedrv.exe
_mzu_stonedrv2.exe
rnnypbw.exe
v1201.exe
Dxc.exe
bxlwxc.exe
dhcpserv.exe
ibm00031.exe
command.exe
msasvc.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vsbij.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,goiltck.e xe,ddjfihw.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Windows APCI Verifier] dhcpserv.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\System32\rnnypbw.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\System32\bxlwxc.exe reg_run
O4 - HKLM\..\RunServices: [Windows APCI Verifier] dhcpserv.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00031.exe"
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\System32\bxlwxc.exe reg_run
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) -
https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B0CA8A-C44A-46D7-98B1-AD724DB8848E}: NameServer = 207.69.188.185,207.69.188.186
<Only fix this, if it doesn`t belong to your ISP.
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\System32\lt5vsrs.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\cNbview.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGFubnk\command.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
Click on the fix checked button.
Close HJT.
Locate and delete the following
bold files and/or directories(if there).
C:\WINDOWS\
update Delete the entire folder.
C:\Program Files\
Network Monitor Delete the entire folder.
C:\WINDOWS\System32\
msasvc.exe
C:\WINDOWS\
ZGFubnk Delete the entire folder.
C:\WINDOWS\System32\
bxlwxc.exe reg_run
C:\Program Files\
DeluxeCommunications Delete the entire folder.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\
ibm00031.exe
C:\windows\system32\
_mzu_stonedrv2.exe
C:\windows\system32\
stonedrv.exe
C:\WINDOWS\
v1201.exe
C:\WINDOWS\System32\
rnnypbw.exe
C:\WINDOWS\System32\
lssas.exe Make sure you don`t delete the lsass.exe file check the spelling.
C:\WINDOWS\System32\
ntos.exe
C:\WINDOWS\System32\
goiltck.exe
C:\WINDOWS\System32\
ddjfihw.exe
C:\WINDOWS\System32\
vsbij.exe
dhcpserv.exe<Search your system for this file and delete all instances of it.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and
check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
This is the filepath you need to enter into killbox.
C:\WINDOWS\System32\lt5vsrs.dll
C:\WINDOWS\system32\cNbview.dll
C:\WINDOWS\system32\dxclib303562752.dll
Once your system has rebooted, turn system restore back on and rehide your protected OS files.
Go
HERE and download and install one of the suggested firewall programmes.
Rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log as well as an
AVG Antispyware log
Regards Howard
This thread is for the use of tovar78 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.