Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

uk_nm elitebar DerBiz and checkrun!


  • Please log in to reply

#1
Infizi

Infizi

    New Member

  • Member
  • Pip
  • 2 posts
;)
ok, ive run ad-aware 6 pro, spybot S&D, Microsoft Anti-Spyware, Win CleanUP and HJT. Also got ZoneLabs AntiVirus runing and checking! I have a reasonable knowledge and ive run all these and removed tonnes of stuff. Ive also un SP2 my laptop until its fixed.

Now, here are the problems.
1) Everytime i turn my PC on it runs this DerBiz cr*p.
2) Ad-Aware and MS ASW remove a number of cookies and applications, + reg keys
3)DerBiz still runs
4) Ad-Watch (ad-aware extra) keeps picking up (every 10 seconds) allday long (even after cleans and anti-spyware removal eyt etc) an attempt to change a value in the registry called chekcrun into the windows/run and tells it to point to system32/elitegra32.exe (dosent exist)
5) I keep getting pop ups from casalemedia.com that started when the spyware got on my PC!
6) The details below happen EVERYTIME i restart. What the...? Same results from cleaners and ASW things...


So, im down to my last tether. :tazz: Ive only just got my PC fully working again afer a well needed format.

So, Heres the HJT Log (ive fixed already but problem still exists, something i missed?)

Logfile of HijackThis v1.99.1
Scan saved at 15:12:34, on 21/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\XP\system32\spoolsv.exe
C:\XP\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\XP\system32\ZoneLabs\vsmon.exe
C:\XP\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\XP\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infizi.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infizi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\XP\system32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\XP\System32\ctfmon.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116322223036
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\XP\System32\ZoneLabs\isafe.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\XP\system32\ZoneLabs\vsmon.exe

Heres the ad-watch details
===============================================
21/05/2005 15:13:42 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:13:58 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:14:05 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:14:12 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
21/05/2005 15:14:22 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:checkrun
Data:
New Data:C:\xp\system32\elitegra32.exe

Attempt to alter the autostart section (Blocked)

===============================================
it goes on and on, current count 177 in 20minutes....
Spyware Scan Details
Start Date: 21/05/2005 12:36:24
End Date: 21/05/2005 14:05:18
Total Time: 1 hrs 28 mins 54 secs

Detected Threats

SearchMiracle.EliteBar Browser Plug-in more information...
Details: SearchMiracle.EliteBar adds a search redirection toolbar to Internet Explorer called Elite Bar.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\xp\system32\temperror32.dat

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\LQ
HKEY_CURRENT_USER\Software\LQ TM 10
HKEY_CURRENT_USER\Software\LQ AT 300
HKEY_CURRENT_USER\Software\LQ AC 250
HKEY_CURRENT_USER\Software\LQ AD 5
HKEY_CURRENT_USER\Software\LQ AM 5


Dialer.ASDPlugin Dialer more information...
Details: Dialer.ASDPlugin is a premium-rate adult dialer.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\xp\system32\uk_nm.exe
c:\xp\system32\config\systemprofile\local settings\temporary internet files\content.ie5\cxob8nk3\uk[1].exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page hkey -2147483647
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN title Launch DerBiz.com
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet value |Ր|,
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet key SOFTWARE\Microsoft\RAS AutoDial\Default
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\DefaultInternet hkey -2147483646
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial value 1
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial key Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\EnableAutodial hkey -2147483647
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page value http://www.infizi.com/
HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN\restore\Start Page key Software\Microsoft\Internet Explorer\Main


Detected Spyware Cookies
No spyware cookies were found during this scan.

Ad-Aware picks up f*** all.


I read something somewhere that said symantec (Norton AV) have a cure thats only available from them with live update! ;)
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Howdy Infizi and Welcome to the Geeks to Go Forums!

I understand the frustrations you are having,lets see if we can do something about it!

First>Uninstall Ad Aware 6 and any plugins you may have downloaded...There is an Updated Version Available!

Once all is Uninstalled>Click Start>Click Run>Type in Msconfig and Click OK!

Once in Msconfig>Click the Services Tab>Scroll the list and Locate this entry

MDM (Machine Debug Manager)<< Uncheck the Box beside that entry!

Now Click the StartUp Tab>Make sure every entry there has a check in the box beside it!

Click Apply>>OK>>Follow the Prompts to Restart!!

Once back in Normal Mode>Download>Install>Update and Configure Ad Aware SE 1.05 just as described in the link below!
http://www.bleepingc...showtutorial=48

Download LQfix.zip
http://users.pandora...atchy/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!


Please Dont run either of these yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that
http://www.bleepingc...showtutorial=62

Once in Safe Mode

Doubleclick LQfix.bat that you saved on your desktop before.

A doswindow will open and close again, this is normal.


Now Locate and Delete these

C:\XP\System32\svcnet.exe<< File Only!

C:\XP\msview<< Folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates and post it along with a Fresh HiijackThis log!!

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP