trying to get rid of derbiz.com

In the future, please do not post HJT logs unless they are requested. Read the Announcement!

We first need to remove the below service:
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\system32\iosdt\iosdt.exe (file missing)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to distributed.net client (dnetc) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
distributed.net client (dnetc)

Now exit HijackThis.

Are you booting to the below offline page on purpose:
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
If not, add it to the list of items to fix below with HJT.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteykc32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\system32\uk_nm.exe -N
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c283.cab
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\system32\iosdt\iosdt.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\uk_nm.exe
C:\windows\system32\eliteykc32.exe <--- also delete any other files that begin with elite and end with .exe. There could be a bunch of them.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You must remember to exit browsers ( C:\Program Files\Internet Explorer\IEXPLORE.EXE
) before using HJT. If you do not, do this if can be impossible to fix problems.

You forgot to answer my question:

Also, you did not get the below item fixed:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteykc32.exe

Repeat the steps again and make sure you look for ALL files beginning with elite and ending with exe and delete them.

You also now have an Elite Toolbar problem. Please run this: EliteToolbar Remover

Now reboot and then post a new HJT log and let me know how things look.

 

Your HJT log showed it running! Take a look for yourself.

Who is the Administrator of the PC?

Do regedit and msconfig run?

 

If you save a log in HJT, you will see c:\windows\system32\taskmgr.exe in your process list. You can even look in the previous log you posted and see it. Also HJT has its own Process Manager where you can see the process list without saving a log.

I just wanted you to try running regedit (do not do anything with it). I just want to see if it runs. The same goes for msconfig.

To run regedit or msconfig: click Start, Run, and enter regedit or msconfig and then click OK. If they run, that is all I wanted to know.

 

I don't know what you are talking about. Why would you want to get rid of explorer.exe? It's you system shell. You need it.

 

Yes I did but your last message said explorer.exe. They are not the same files.

 

Click Start, Run, and enter secpol.msc and click OK.

Now in the left column look for Software Restriction Policies. Work your way thru the subfolders there and see if there are any restrictions on running taskmgr.exe.

 

So if you logon as administrator can you bring up Task Manager?

 

When you tried running secpol.msc where you in safe mode or normal boot mode and who were you logged in as? This file should be readily available.

You should be able to find it at c:\windows\system32\secpol.msc

Try locating it and double clicking on it from Windows Explorer.

 

Are you sure you enabled viewing of hidden and system files per the read me? Check again that the below are set correctly:

Right Click Start.
Select Explorer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

Try double clicking on taskmgr.exe. Does it run?
Are you saying that you (when logged in as you) do not have administrator priviledges?

 

Did you check the settings I asked you to check?

Login as Administrator. Bring up Control Panel and aelect User Accounts.
Now select Change an account. Select your user name account.
Now select Change my account type. Make sure you are a Computer administrator. If not, change it and then click Change Account Type.

Now reboot and login as you and see what happens.

 

You do not want to get rid of iexplore.exe. It is your browser (Internet Explorer). You just do not want it running when you use HijackThis. For example, the message you are reading right now is in an Internet Explorer session. If you run HijackThis and save a log or run the Process Manager in HijackThis's Misc Tools you can see iexplore.exe running. It will show as :
C:\Program Files\Internet Explorer\IEXPLORE.EXE

or a similar shortened named may show. One process per browser window will show. If you close this current browser window and any others you have opened, none of them should be showing as running.

Let's get back to Task Manager. If you make a copy of the c:\windows\system32\taskmgr.exe file in your c:\ folder and then rename it mytm.exe, does it run okay.

Also look in c:\windows\system32 and sort the folder by Type and look for all files ending in .msc Tell me what you find. You may have to first click View and select Details and then you may have to right click on the bar that shows the columns with Name, Size, Date Created, etc and then enable Type.

 

Seems like 3 .MSC files are missing.
GPEDIT.MSC
RSOP.MSC
SECPOL.MSC

Are you running XP Home or Pro? I'm not sure if there is supposed to be a difference with which files should be there but I have the above three on all my XP Pro systems.

Do you have an i386 folder on your PC? Like c:\i386 or c:\window\i386

 

Try the below!


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixtm.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixstm.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

 

You're welcome!

You should discuss your virtual memory question in the Software Forum.

 

Please post in your own thread and read the announcement and follow the sticky thread procedures first. Do not post HJT logs unless requested.