Derbiz

Please make sure you follow the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please follow the steps below:

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Now boot into safe mode and then run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window & desktop icons will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now continue with the below steps. Note some of the items that I mention below may no longer exist. The above steps may have fixed some

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\miuibs.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [yl9w5bp3] C:\Program Files\yl9w5bp3\yl9w5bp3.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [Jammer2nd] C:\WINDOWS\Jammer2nd.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [iokwbn] c:\windows\system32\gicbcyz.exe
O4 - HKLM\..\Run: [agxfpd] c:\windows\system32\miuibs.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\yl9w5bp3 <--- the whole folder
C:\WINDOWS\Jammer2nd.exe
C:\WINDOWS\System32\temp532.exe
c:\windows\system32\miuibs.exe
c:\windows\system32\gicbcyz.exe
c:\windows\SvcProc.exe
C:\windows\system32\elitehxt32.exe <-- also delete any other filenames beginning with elite and ending in exe. There could be as many as ten of them.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Your last HJT log still showed some problems.

Are the below still in a current log.


c:\windows\system32\tlomwr.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [kqrssed] c:\windows\system32\tlomwr.exe r <--- this one could have mutated into another name

You may want to just post a new log and then do not power down or reboot. That is when these things normally mutate.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SvcProc

You may want to print or save the instructions locally at this point.

Now reboot into safe mode with no network support.. It may even tell you to reboot at this point. So make sure you boot into safe mode.

Now in safe mode run the abiremover and hoster items I gave you in message # 4.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\udrosff.exe <-- hopefully this has not renamed itself again.


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [agiqdad] c:\windows\system32\udrosff.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


After clicking Fix, exit HJT.

Use Windows Explorer to delete:
C:\WINDOWS\Nail.exe
C:\windows\system32\elitehxt32.exe <--- make sure you look for and delete other filenames beginning with elite and ending with exe.
c:\windows\system32\udrosff.exe
C:\WINDOWS\svcproc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner. Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you ever follow the steps I gave you last time? It does not seem like it!


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SvcProc

You may want to print or save the instructions locally at this point.

Now reboot into safe mode with no network support.. It may even tell you to reboot at this point. So make sure you boot into safe mode.

Now in safe mode run the abiremover and hoster items I gave you in message # 4.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\udrosff.exe <-- hopefully this has not renamed itself again.


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [oqnbeo] c:\windows\system32\sucfuty.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After clicking Fix, exit HJT.

Use Windows Explorer to delete:
C:\WINDOWS\Nail.exe
C:\windows\system32\elitehxt32.exe <--- make sure you look for and delete other filenames beginning with elite and ending with exe.
c:\windows\system32\sucfuty.exe
C:\WINDOWS\svcproc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner. Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You last log was clean. Hopefully things are still working okay. If so, you should check out the steps in the below thread to help keep you clean:

How to Protect yourself from malware!

 

You're welcome. Surf safely!