Please help me remove Derbiz

Pretty close Jeff. You just need to stop some processes first to avoid the having the malware add itself back into the registry as soon as you fix the lines in HJT. Also you need to delete the files too. I included a full cleanup procedure below. Take a look at it!

Markn,

Please install HijackThis to a safe folder that is not on your Desktop nor in Documents and Settings. Read the sticky thread for HijackThis.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Windows Update Service (or look for muamgrd if the long name is not found ). Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windows Update Service

If that does not work try entering the short name: muamgrd

Now exit HijackThis.

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\wuaumgr.exe
C:\WINDOWS\System32\CMUTIL24.exe
After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\gegre.dll (file missing)
O4 - HKLM\..\Run: [il mio dolce tesoro] monycom.exe
O4 - HKLM\..\Run: [tlpIgFm4] C:\windows\temp\tlpIgFm4.exe
O4 - HKLM\..\Run: [t] C:\windows\system32\t.exe
O4 - HKLM\..\Run: [Windows Update Auto Update] wuaumgr.exe
O4 - HKLM\..\Run: [11856b51a6ad] C:\WINDOWS\System32\ATMPVCNO.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\WcisZRpq.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [zmzad] C:\WINDOWS\zmzad.exe
O4 - HKLM\..\Run: [Aaxbladk] C:\Program Files\Dptl\Mcap.exe
O4 - HKLM\..\Run: [Awxsa] C:\Program Files\Lszgce\Hfmpdw.exe
O4 - HKLM\..\Run: [6143aecfc716] C:\WINDOWS\System32\CMUTIL24.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevdp32.exe
O4 - HKLM\..\Run: [tlpIgFm4.exe] C:\windows\temp\tlpIgFm4.exe
O4 - HKLM\..\Run: [t.exe] C:\windows\system32\t.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\uk_nm.exe -N
O4 - HKLM\..\RunServices: [Windows Update Auto Update] wuaumgr.exe
O4 - HKCU\..\Run: [Microsoft Update] wssvrs.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaterx.exe
O4 - HKCU\..\Run: [Windows Update Auto Update] wuaumgr.exe
O4 - HKCU\..\Run: [Ywu8ROHtT] dmselex.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe
O23 - Service: Windows Update Service (muamgrd) - Unknown owner - C:\WINDOWS\System32\muamgrd.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:

C:\WINDOWS\system32\monycom.exe
C:\windows\temp\tlpIgFm4.exe
C:\windows\system32\t.exe
C:\WINDOWS\System32\ATMPVCNO.exe
C:\WINDOWS\System32\WcisZRpq.exe
c:\windows\saap.exe
C:\WINDOWS\zmzad.exe
C:\Program Files\Dptl\Mcap.exe
C:\Program Files\Lszgce\Hfmpdw.exe
C:\WINDOWS\system32\wssvrs.exe
C:\WINDOWS\system32\navupdaterx.exe
C:\WINDOWS\system32\dmselex.exe
C:\WINDOWS\system32\Searchx.htm
C:\WINDOWS\system32\wuaumgr.exe
C:\WINDOWS\System32\muamgrd.exe
C:\WINDOWS\System32\CMUTIL24.exe
C:\WINDOWS\system32\uk_nm.exe
C:\windows\system32\elitevdp32.exe <--- also delete any other files that begin with elite and end with .exe. There could be a bunch of them

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That's correct Jeff! That one still remains. And need to be fixed again. It is important to make sure all the elitexxxxx.exe files are deleted or this can happen.

 

Standard procedure that work for most cases:
- start from normal boot mode so that all items have loaded and can be seen
- kill processes
- fix bad entries seen in HJT log
- boot to safe mode and delete files (obviously viewing of hidden & system files must be enabled). While it is not always necessary to be in safe mode, it is in many cases. So it is just a good practice to always use.
- cleanup (ccleaner & prefetch emptied)
- reset web setting if necessary (case by case determination)
- reboot normal mode and get new HJT to double check how things went and that nothing new pops up. Some malware problems can mask others.