Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"Derbiz"and many pop-ups; "DrPMon.dll" [RESOLVED]


  • This topic is locked This topic is locked

#1
DrKelso

DrKelso

    New Member

  • Member
  • Pip
  • 4 posts
Hello to everyone at Geeks to Go,

First off, thank you for providing this service, especially the “Required steps before posting your log” page, for providing links to download everything and written in a very easy to understand manner. This is my second post as I initially posted in the wrong section, sorry.

I am having problems with something called “derbiz” which, from reading other posts appears to be pretty common. Upon start up it asks that I dial a connection, which I haven’t. I delete this programme, but upon re-starting my computer is always come back. To add to this I have many pop-ups appearing.

I have followed all of the instructions on the above page, however I am still experiencing the “derbiz” problem.

The Ewido scan reported the following (full log detailed below); “worm Peybot.A – non cleanable – C:\ Windows\system32\TFTP2148”.

A scan preformed by “Trend Housecall” as per the above instructions reported; “Trojan horse – IRC\Backdoor. SdBot.129Avworm\Agobot.43.BR – Healed Successfully”.

Other action taken so far includes an attempt by my housemate to rid me of this virus (?) using “killbox” amongst other applications. He said that there is a file named “DrPMon.dll” which keeps re-appearing after startup, however, after his best efforts he could not help. He disabled a number of things in the Msconfig start up tab, which in line with the instructions I re-enabled prior to performing my Highjack this scan.

Please find below my Ewido and Highjack this logs as per the instructions.

Thank you for taking the time to read this, and any help is greatly appreciated.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:16:32, 05/06/2005
+ Report-Checksum: 6C0FE52F

+ Date of database: 04/06/2005
+ Version of scan engine: v3.0

+ Duration: 63 min
+ Scanned Files: 215146
+ Speed: 56.39 Files/Second
+ Infected files: 22
+ Removed files: 11
+ Files put in quarantine: 11
+ Files that could not be opened: 0
+ Files that could not be cleaned: 11

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\

+ Scan result:
C:\Documents and Settings\Dan\Cookies\dan@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\elitebym32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteehh32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteiub32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteiuh32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitemav32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitenrz32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteppc32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitevax32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteyuy32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitezng32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Dan\Cookies\dan@com[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\system32\elitebym32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\eliteehh32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\eliteiub32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\eliteiuh32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\elitemav32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\elitenrz32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\eliteppc32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\elitevax32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\eliteyuy32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\elitezng32.exe -> Spyware.Hijacker.Generic -> Error during cleaning


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 12:49:18, on 05/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [xlgsn] C:\WINDOWS\System32\xlgsn.exe
O4 - HKLM\..\Run: [pngkiq] c:\windows\system32\sjbqghx.exe
O4 - HKLM\..\Run: [pauvxs] c:\windows\system32\fudpim.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eqjod] C:\WINDOWS\System32\eqjod.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [xlgsn] C:\WINDOWS\System32\xlgsn.exe
O4 - HKLM\..\Run: [pngkiq] c:\windows\system32\sjbqghx.exe
O4 - HKLM\..\Run: [pauvxs] c:\windows\system32\fudpim.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [eqjod] C:\WINDOWS\System32\eqjod.exe

4. Delete the files. (if present)

C:\WINDOWS\System32\temp532.exe
C:\WINDOWS\System32\xlgsn.exe
c:\windows\system32\sjbqghx.exe
c:\windows\system32\fudpim.exe
C:\Windows\msxct.exe or C:\Windows\System32\msxct.exe
C:\WINDOWS\System32\eqjod.exe

5. Reboot and post a new Hijackthis log here in a reply.
  • 0

#3
DrKelso

DrKelso

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you therock247uk!!

I think it worked, I didn't get "derbiz" asking me to dial a connection when i re-started my computer, and at the time of writting this reply I haven't had any pop-ups!!

I followed your instructions, couldn't find the files;

C:\WINDOWS\System32\xlgsn.exe
c:\windows\system32\sjbqghx.exe
c:\windows\system32\fudpim.exe
C:\Windows\msxct.exe or C:\Windows\System32\msxct.exe
C:\WINDOWS\System32\eqjod.exe

I did find and delete:
C:\WINDOWS\System32\temp532.exe

Here is the latest HJT log that you asked for.

Once again thank you for you help and quick reply!

Logfile of HijackThis v1.99.1
Scan saved at 16:02:35, on 05/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#5
DrKelso

DrKelso

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Once again thank you for the quick and immensly helpful reply.

I have installed the programmes that you recommended, however I have a quick question if you have time. Whilst working through the initial instructions;

http://www.geekstogo..._Log-t2852.html

prior to posting my HJT, I installed the free AVG anti-virus software. There was a note on the page saying not to install more than one anit-virus programme because "They will conflict, and provide less protection, not more."

Will the applications that you suggested and that I installed conflict with AVG?

Thank you!
  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Nope they wont. :tazz:
  • 0

#7
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP