Help with Pop ups and DerBiz dialler

Discussion in 'Malware Help (A Specialist Will Reply)' started by Caver, Jun 7, 2005.

  1. Caver

    Caver Private E-2

    I am plagued by pop ups appearing and by a DerBiz dialler continually trying to install itself.
    I have followed your instructions for cleaning my system with one exception. When I booted in safe mode I was unable to access my modem so had to run everything in normal mode.
    The two online scans found nothing, but Spybot found 2 entries for Download Accelerator Plus Ads which it can never remove. It also found 1 entry for Elitum.EliteBar which it removes but which always comes back. One of the other programs did find something which from memory it referred to as a remainder but I stupidly did note note this. Please accept my apologies.
    I have Norton Antivirus which also fails to remove what ever the problem is. We did not have this installed before the problem appeared only Norton Firewall.
    After following your clean up instruction it was some time before DerBiz came back but the pop ups were still as persistant.
    We also have McAfee Parental controls and either it or something has removed the access time restrictions and also blocks their reintroduction for some accounts
    What do you recomend?
     
    Caver, Jun 7, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run the below steps and answer these questions:

    Do you use Download Accelerator Plus (DAP)? If so, what version? Do you want to keep it?

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jun 7, 2005
    #2
  3. + Sh@DoW +

    + Sh@DoW + Private E-2

    Too remove EliteBar download EliteToolbar Remover


    1. Reboot into Safe Mode.


    2 .Tap F8 repeatedly when your machine starts to boot up.
    Select 'Safe Mode' from the options that appear.


    3. Run the removal tool while in Safe Mode.


    Then follow the Hijack This option posted by chaslang. Unless his post got the problem fixed ;)

    Regards,
     
    + Sh@DoW +, Jun 7, 2005
    #3
  4. Caver

    Caver Private E-2

    Thanks for the help. The DerBiz dialler does not seem to be downloading but the pops up are still appearing.
     

    Attached Files:

    Caver, Jul 3, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You OS and IE version are seriously out of date and represent a major security risk. You must get updated after we fix any current problems.

    Running both McAfee and Symantec products at the same time is probably a bad idea. Especially if the stuff you have from McAfee also contains an antivirus application.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
    O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\temp532.exe -N
    O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
    O15 - Trusted Zone: http://memberservices.tesco.net
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gepdendw.exe
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x17.chm::/trs17.exe
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O20 - Winlogon Notify: iexplore - TT\rS.dll (file missing)
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\temp532.exe
    C:\Program Files\Internet Explorer\ixplore.exe <--- this is not iexplore.exe which is valid. Only delete ixplore.exe if found.
    c:\eied_s7.cab
    c:\ex.cab

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jul 3, 2005
    #5
  6. Caver

    Caver Private E-2

    Thanks for the help once again, it is very much appreciated.
    I have followed the instructions. All worked except the following
    1) There was no C:\WINDOWS\System32\vbsys2.dll in the HJT to delete
    2) When I rebooted into safemode none of the files were there to delete
    Norton Antivirus did say it had found a problem but it was unable to fix it. The message disappeared before I was able to note it down.
    Some pops ups are still appearing and they all relate to fixing problems with the computer ie the registry etc
    HJT log attached.
    Once again thanks for the help
    Bob
     

    Attached Files:

    Caver, Jul 13, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are the below lines for virgin.net valid?

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net/
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/

    Please go to the below thread an do step 1 which is getting your Windows Updates. We need to take care of that problem since you are way behind.

    How to Protect yourself from malware!
     
    chaslang, Jul 13, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds