ok, ive run ad-aware 6 pro, spybot S&D, Microsoft Anti-Spyware, Win CleanUP and HJT. Also got ZoneLabs AntiVirus runing and checking! I have a reasonable knowledge and ive run all these and removed tonnes of stuff. Ive also un SP2 my laptop until its fixed.
Now, here are the problems.
1) Everytime i turn my PC on it runs this DerBiz cr*p.
2) Ad-Aware and MS ASW remove a number of cookies and applications, + reg keys
3)DerBiz still runs
4) Ad-Watch (ad-aware extra) keeps picking up (every 10 seconds) allday long (even after cleans and anti-spyware removal eyt etc) an attempt to change a value in the registry called chekcrun into the windows/run and tells it to point to system32/elitegra32.exe (dosent exist)
5) I keep getting pop ups from casalemedia.com that started when the spyware got on my PC!
6) The details below happen EVERYTIME i restart. What the...? Same results from cleaners and ASW things...
So, im down to my last tether. Ive only just got my PC fully working again afer a well needed format.
So, Heres the HJT Log (ive fixed already but problem still exists, something i missed?)
Logfile of HijackThis v1.99.1
Scan saved at 15:12:34, on 21/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\XP\system32\spoolsv.exe
C:\XP\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\XP\system32\ZoneLabs\vsmon.exe
C:\XP\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\XP\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infizi.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infizi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\XP\system32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\XP\System32\ctfmon.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116322223036
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\XP\System32\ZoneLabs\isafe.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\XP\system32\ZoneLabs\vsmon.exe
Heres the ad-watch details
===============================================
21/05/2005 15:13:42 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe
Attempt to alter the autostart section (Blocked)
===============================================
21/05/2005 15:13:58 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe
Attempt to alter the autostart section (Blocked)
===============================================
21/05/2005 15:14:05 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe
Attempt to alter the autostart section (Blocked)
===============================================
21/05/2005 15:14:12 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe
Attempt to alter the autostart section (Blocked)
===============================================
21/05/2005 15:14:22 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe
Attempt to alter the autostart section (Blocked)
===============================================
it goes on and on, current count 177 in 20minutes....
Spyware Scan Details
Start Date: 21/05/2005 12:36:24
End Date: 21/05/2005 14:05:18
Total Time: 1 hrs 28 mins 54 secs
Detected Threats
SearchMiracle.EliteBar Browser Plug-in more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\xp\system32\temperror32.dat
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\LQ
HKEY_CURRENT_USER\Software\LQ TM 10
HKEY_CURRENT_USER\Software\LQ AT 300
HKEY_CURRENT_USER\Software\LQ AC 250
HKEY_CURRENT_USER\Software\LQ AD 5
HKEY_CURRENT_USER\Software\LQ AM 5
Dialer.ASDPlugin Dialer more information...
Details: Dialer.ASDPlugin is a premium-rate adult dialer.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.
Infected files detected
c:\xp\system32\uk_nm.exe
c:\xp\system32\config\systemprofile\local settings\temporary internet files\content.ie5\cxob8nk3\uk[1].exe
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page hkey -2147483647
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN title Launch DerBiz.com
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet value |Ր|,
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet key SOFTWARE\Microsoft\RAS AutoDial\Default
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet hkey -2147483646
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial value 1
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial key Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial hkey -2147483647
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page value http://www.infizi.com/
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page key Software\Microsoft\Internet Explorer\Main
Detected Spyware Cookies
No spyware cookies were found during this scan.
Ad-Aware picks up f*** all.
I read something somewhere that said symantec (Norton AV) have a cure thats only available from them with live update!