Derbiz.com Hijacker

November 11, 2006 on 4:24 pm | In Malware analysis | 1 Comment

Originally posted Apr 30 2005, 01:09 PM

A very active variant of Dialer.Asdplug: http://www.sarc.com/avcenter/venc/data/dialer.asdplug.html

Can be recognized in a HijackThis log as:

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://
community.derbiz.com/

O4 – HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N

Fix those entries and delete the file %System%\.exe
( In the example C:\WINDOWS\System32\uk_nm.exe)

In the registry the following changes may have to be made.

copy the part in bold below into notepad and save it as noASD.reg
Doubleclick the file and confirm you want to merge it with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“EnableAutodial” = “0”

[-HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN]

Beware that the EnableAutodial might have had the value 1 before the infection and the user may even need it.

This one is often found in the company of EliteBar. They may be related.

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. […] This looks like a mix of the old IEAccess dialers from eGroup and the Derbiz Hijacker I blogged about earlier: http://www.pieter-arntz.info/wordpressblog/?p=21 […]

    Pingback by Metallica’s blog » surfya dialer — November 11, 2006 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^