How to get rid of Derbiz.com

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You missed some important aspects of my instructions.

Here is what you had:
C:\Program Files\Internet Explorer\iexplore.exe <--- 1st browser running
C:\Program Files\Internet Explorer\IEXPLORE.EXE <--- 2nd browser running
C:\Program Files\WinRAR\WinRAR.exe <--- should not be running but is running because of the next line
C:\DOCUME~1\Rita\LOCALS~1\Temp\Rar$EX00.687\HijackThis.exe <-- you did not extract HJT from the ZIP file. You are running it directly from the ZIP. You will not get backups this way. You must address this before continuing.


You must go to Control Panel, Add/Remove programs and uninstall Messenger Plus! 3. It installs all kinds of bad stuff including LOP on your PC.

While in Add/Remove programs also look for ISTbar or ISTsvc and uninstall if found.

Do you have any idea what the below Liesstop.exe process is? I believe that it is bad!
O2 - BHO: (no name) - {697DFB9B-D137-91C5-0733-21FC51960448} - C:\DOCUME~1\Andy\APPLIC~1\OPTION~1\Liesstop.exe

 

Download and run this: http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Now download: LSP - Fix

First Step:

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the xfire_lsp_10908.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move xfire_lsp_10908.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Second Step:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\daqgyq.exe
C:\WINDOWS\switpb.exe
C:\Program Files\ISTsvc\istsvc.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

If you did not know what this Liesstop.exe application is, fix the next line too.
O2 - BHO: (no name) - {697DFB9B-D137-91C5-0733-21FC51960448} - C:\DOCUME~1\Andy\APPLIC~1\OPTION~1\Liesstop.exe

O4 - HKLM\..\Run: [4NoPHwiaüžigÝY] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [4No¿Çß]§ú"ü‰üžigÝY] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [¢‰¸K0ÔÇè]mú*áaîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebyj32.exe
O4 - HKLM\..\Run: [mhfyytq] c:\windows\system32\mhfyytq.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpb.exe
O4 - HKLM\..\Run: [Media multi idol open] C:\Documents and Settings\All Users\Application Data\coal way media multi\book noun.exe
O4 - HKLM\..\Run: [²+Ÿe„šVnRÖ§j÷©OVó×C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [²+Ÿe„š/‚²?ÆßfÏNb&shy;»1C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\daqgyq.exe
O4 - HKLM\..\Run: [u7mS39g] tfsoci.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ISTsvc <--- the whole folder
C:\Documents and Settings\All Users\Application Data\coal way media multi <--- the whole folder
C:\WINDOWS\daqgyq.exe
C:\WINDOWS\switpb.exe
C:\WINDOWS\system32\tfsoci.exe
c:\windows\system32\mhfyytq.exe
C:\windows\system32\elitebyj32.exe <--- normally you will find anywhere from 2 to 10 files starting with elite and ending in .exe. They all must be removed.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You never resolved what I stated in message number 4. You are still running HijackThis from the ZIP file using WinRar

C:\DOCUME~1\Rita\LOCALS~1\Temp\Rar$EX00.375\hijackthis.exe

You are not getting any backups! You must get this fixed!

It looks like you missed some items I gave you last time and there are some new problems. Please make sure you follow steps exactly and that you provide feedback on the results.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\msgview.exe
C:\WINDOWS\System32\mlaefolderbrowse.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [u7mS39g] msgview.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebyj32.exe
O4 - HKCU\..\Run: [fw52RVM5V] mlaefolderbrowse.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\AutoUpdate <--- the whole folder
C:\WINDOWS\System32\msgview.exe
C:\WINDOWS\System32\mlaefolderbrowse.exe
C:\windows\system32\elitebyj32.exe <--- normally you will find anywhere from 2 to 10 files starting with elite and ending in .exe. They all must be removed.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file. Again make sure you have enable viewing of hidden files and system files or you may not be able to see these files.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

To get hijackthis.exe extracted from the ZIP File into the location we requested do the following.

The below will work for WinXP based system since it can deal with ZIP files.

You need to create the C:\Program Files\HJT folder. Do the following:

- Click START and select Explore.
- Select the drive where Windows is installed (normally C
- Navigate to the C:\Program Files folder and select it.
- Now click the on the top menu where it says File and then select New.
- Then select Folder
- A new folder is created and highlighted.
- Just type HJT to overwrite the default name (New Folder)


To extract hijackthis.exe:
- locate the HijackThis.zip file you downloaded and right click on it
- Select Extract All and click Next
- Browse your way to the C:\Program Files\HJT folder created above
- Select the folder and click Next

 

See this thread it has several very good free ones and you need to make sure you do all of these steps anyway: How to Protect yourself from malware!

I was referring to HijackThis backups. You had it running from the ZIP file. It cannot create backups of things you use it to fix if it is run that way.

There is no need to uninstall HijackThis. You should keep it just in case it is needed at another time. It does not use any system resources as it only runs when you run it.

You still have a couple of problems.

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\danfgwmi.exe
C:\WINDOWS\System32\ctfui1.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [u7mS39g] danfgwmi.exe
O4 - HKCU\..\Run: [fw52RVM5V] ctfui1.exe
After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\danfgwmi.exe
C:\WINDOWS\System32\ctfui1.exe

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Do not reboot or power down your PC at this point! Wait until we see if you are clean. Sometimes problems like you are having change names at reboots and what I posted above may not even apply anymore if they have changed.

 

Hmmm! Now you picked up another new problem. A phony MSN Messenger. I wonder where you keep getting this stuff from.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\mssmmspgr.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\mssmmspgr.exe

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're log is clean! I'm not sure why Sygate is not keeping track that you told it not to allow svchost.exe to have network access. Maybe you need to look into its Program's list and set permissions manually.

Maybe reading this link (in particular the message from a person named Wayward) will be useful to you:
http://castlecops.com/postt107296.html

 

You're welcome. Surf safely!

 

Please start your own thread for your problem. But first run ALL of this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Remova