[mikeygoestohollywood]

Hi there, I Just completely formatted my hard drive yesterday due to some errors, and within 10 mins of being online i had deleted 48 different parts of spyware, but am still unable to get rid of derbiz.

I Have read your other posts on this topic so i have downloaded Hijack.

Here is the log :- Can you pls help



Logfile of HijackThis v1.99.1
Scan saved at 10:08:06, on 03/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\GSICON.EXE
D:\WINDOWS\system32\dslagent.exe
D:\WINDOWS\system32\msxct.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\Program Files\Network Associates\VirusScan\Vshwin32.exe
D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\Avconsol.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Network Associates\VirusScan\Webscanx.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://empnads.com/s...L?zone=enternet
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [checkrun] D:\windows\system32\elitejsp32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117699949281
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D16E61-EEF7-43AB-94EF-38D09102C376}: NameServer = 81.26.107.2 81.26.107.3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - D:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe


Hope this makes for fun reading as it kinda baffles me in a way. Thanks

Edited by mikeygoestohollywood, 03 June 2005 - 03:24 AM.

[Advertisements]

Who is you Internet Provider??

Do you know anything about KBmedia range 1?

[Wizard]

Who is you Internet Provider??

Do you know anything about KBmedia range 1?

[mikeygoestohollywood]

My internet Provider is FairADSL.co.uk Never heard of KB Media Range 1.

[Wizard]

Do me a favor and Call you Internet Provider and ask them if they are affiliated with KB Media Range 1 in any way!

Also ask them if these IP Addresses are correct for your location??

81.26.107.2

81.26.107.3

While we wait to find out,Please Dwomload remv3.zip from Here


Please be sure remv3 is Unzipped into its own folder,otherwise it will not work!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Locate remv3.zip and Double Click remv3.bat>>Wait for the DOS window to close!

It will create a log located at C:\log.txt,I will need to see that log in the next post!


Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.

Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.

Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Make sure the radio dial has the Green Dot in it!!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with the log from Remv3>>Panda Report and a fresh HijackThis log!

Let me know what Internet Provider says!