uk_nm elitebar DerBiz and checkrun!

ok, ive run ad-aware 6 pro, spybot S&D, Microsoft Anti-Spyware, Win CleanUP and HJT. Also got ZoneLabs AntiVirus runing and checking! I have a reasonable knowledge and ive run all these and removed tonnes of stuff. Ive also un SP2 my laptop until its fixed.

Now, here are the problems.
1) Everytime i turn my PC on it runs this DerBiz cr*p.
2) Ad-Aware and MS ASW remove a number of cookies and applications, + reg keys
3)DerBiz still runs
4) Ad-Watch (ad-aware extra) keeps picking up (every 10 seconds) allday long (even after cleans and anti-spyware removal eyt etc) an attempt to change a value in the registry called chekcrun into the windows/run and tells it to point to system32/elitegra32.exe (dosent exist)
5) I keep getting pop ups from casalemedia.com that started when the spyware got on my PC!
6) The details below happen EVERYTIME i restart. What the...? Same results from cleaners and ASW things...

So, im down to my last tether. :tazz:

Ive only just got my PC fully working again afer a well needed format.

So, Heres the HJT Log (ive fixed already but problem still exists, something i missed?)

Logfile of HijackThis v1.99.1
Scan saved at 15:12:34, on 21/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\XP\system32\spoolsv.exe
C:\XP\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\XP\system32\ZoneLabs\vsmon.exe
C:\XP\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\XP\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infizi.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infizi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\XP\system32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\XP\System32\ctfmon.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116322223036
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\XP\System32\ZoneLabs\isafe.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\XP\system32\ZoneLabs\vsmon.exe

Heres the ad-watch details
===============================================
21/05/2005 15:13:42 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:13:58 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:14:05 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:14:12 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:14:22 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
it goes on and on, current count 177 in 20minutes....
Spyware Scan Details
Start Date: 21/05/2005 12:36:24
End Date: 21/05/2005 14:05:18
Total Time: 1 hrs 28 mins 54 secs

Detected Threats

SearchMiracle.EliteBar Browser Plug-in more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\xp\system32\temperror32.dat

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\LQ
HKEY_CURRENT_USER\Software\LQ TM 10
HKEY_CURRENT_USER\Software\LQ AT 300
HKEY_CURRENT_USER\Software\LQ AC 250
HKEY_CURRENT_USER\Software\LQ AD 5
HKEY_CURRENT_USER\Software\LQ AM 5

Dialer.ASDPlugin Dialer more information...
Details: Dialer.ASDPlugin is a premium-rate adult dialer.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\xp\system32\uk_nm.exe
c:\xp\system32\config\systemprofile\local settings\temporary internet files\content.ie5\cxob8nk3\uk[1].exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page hkey -2147483647
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN title Launch DerBiz.com
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet value ¼ç|†Õ|,ú
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet key SOFTWARE\Microsoft\RAS AutoDial\Default
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet hkey -2147483646
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial value 1
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial key Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial hkey -2147483647
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page value http://www.infizi.com/
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page key Software\Microsoft\Internet Explorer\Main

Detected Spyware Cookies
No spyware cookies were found during this scan.

Ad-Aware picks up f*** all.

I read something somewhere that said symantec (Norton AV) have a cure thats only available from them with live update!

Howdy Infizi and Welcome to the Geeks to Go Forums!

I understand the frustrations you are having,lets see if we can do something about it!

First>Uninstall Ad Aware 6 and any plugins you may have downloaded...There is an Updated Version Available!

Once all is Uninstalled>Click Start>Click Run>Type in Msconfig and Click OK!

Once in Msconfig>Click the Services Tab>Scroll the list and Locate this entry

MDM (Machine Debug Manager)<< Uncheck the Box beside that entry!

Now Click the StartUp Tab>Make sure every entry there has a check in the box beside it!

Click Apply>>OK>>Follow the Prompts to Restart!!

Once back in Normal Mode>Download>Install>Update and Configure Ad Aware SE 1.05 just as described in the link below!
http://www.bleepingc...showtutorial=48

Download LQfix.zip
http://users.pandora...atchy/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

Please Dont run either of these yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that
http://www.bleepingc...showtutorial=62

Once in Safe Mode

Doubleclick LQfix.bat that you saved on your desktop before.

A doswindow will open and close again, this is normal.

Now Locate and Delete these

C:\XP\System32\svcnet.exe<< File Only!

C:\XP\msview<< Folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates and post it along with a Fresh HiijackThis log!!

#1
Infizi

Posted 21 May 2005 - 08:21 AM

Advertisements

#2
Wizard

Posted 22 May 2005 - 06:47 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us