Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
ZIPZAPPROMOS and telephone bill - hijack this log included
Hi, this is my first time posting on this forum but I have been looking around for a few weeks now. I have been getting the ZIPZAPPROMOS popups and looking for a way to get rid of them but didn't think it was any big deal, until now. I sat down to do my bills and on my SBC bill I find a USBI insert with 8 calls to DIEGO GARCXX that is included, totaling $156.50 and the lady I talked to at the 888 number said it was from a computer dialer.
So now the question is, is ZIPZAP a dialer or was I hijacked by someone else? I have run the latest spybot, ad-aware, CWShredder, and spyware blaster but none seem to find anything. Here is my hijackthis log and I will be talking to USBI and SBC monday when offices are open. Thanks in advance for any help anyone can provide.
Jeff-
Logfile of HijackThis v1.99.0
Scan saved at 7:59:37 PM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I have updated and ran all my spyware programs and Norton in safe mode with system restore turned off since then, but here is my installed program log.
INSTALLED SOFTWARE (96) - JEFF - 2/19/2005 9:45:53 AM
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update Ver: 6.0.2 Installed: 11/15/2004
Adobe Reader 6.0.1 Ver: 006.000.001 Installed: 11/15/2004
ArcSoft PhotoImpression 2000
Autodesk Inventor 8 Ver: 8.0.0000.07270 Installed: 11/17/2004
Banctec Service Agreement Ver: 1.10.0000 Installed: 11/15/2004
Barbie(TM) as The Princess and the Pauper Demo
Barbie(TM) Fashion Show(TM) CD-ROM
bvydqakmc
Call of Duty - United Offensive Ver: 1.00.0000 Installed: 12/25/2004
Call of Duty - United Offensive Ver: 1.00.0000 Installed: 12/25/2004
Call of Duty Game of the Year Edition
ccCommon Ver: 103.0.2.10 Installed: 11/16/2004
Civilization III Complete Edition Ver: 1.00.0000 Installed: 1/19/2005
Civilization III Complete Edition Ver: 1.00.0000 Installed: 1/19/2005
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool Ver: 1.02.0000 Installed: 11/15/2004
Dell Media Experience
Dell Support 5.0.0 (630)
Dell System Restore Ver: 2.00.0000 Installed: 11/15/2004
Digital Line Detect Ver: 1.10
Disney's Toontown Online
HijackThis 1.99.0 Ver: 1.99.0
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections Ver: 8.00.5000 Installed: 11/15/2004
Internet Explorer Default Page Ver: 1.00.03 Installed: 11/15/2004
Internet Worm Protection Ver: 11.0.2 Installed: 11/16/2004
Jasc Paint Shop Photo Album Ver: 4.0.3 Installed: 11/15/2004
Jasc Paint Shop Pro 8 Dell Edition Ver: 8.10.0000 Installed: 11/15/2004
Java 2 Runtime Environment, SE v1.4.2_03 Ver: 1.4.2_03 Installed: 11/15/2004
Java 2 Runtime Environment, SE v1.4.2_06 Ver: 1.4.2_06 Installed: 12/9/2004
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation) Ver: 3.0.0
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Medal of Honor Allied Assault
Medal of Honor Allied Assault(tm) Spearhead
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 2/11/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Excel 97
Microsoft Flight Simulator 2004 A Century of Flight Ver: 9.0
Microsoft Plus! Digital Media Edition Installer Ver: 1.1.0.3514 Installed: 11/15/2004
Microsoft Plus! Photo Story 2 LE Ver: 1.1.0.3463 Installed: 11/15/2004
Microsoft Word 97
Modem Helper Ver: 2.28
MSRedist Ver: 1.0.0.0 Installed: 11/16/2004
Musicmatch for Windows Media Player Ver: 0.00.000
Musicmatch® Jukebox Ver: 9.00.2062b
NetWaiting Ver: 2.5.12
Norton AntiVirus 2005 Ver: 11.0.2 Installed: 11/16/2004
Norton AntiVirus Parent MSI Ver: 10.0.0 Installed: 11/16/2004
Norton SystemWorks Ver: 1.0.0 Installed: 11/16/2004
Norton SystemWorks 2005 Ver: 8.02.6 Installed: 11/16/2004
Norton SystemWorks 2005 (Symantec Corporation) Ver: 8.00.99
Norton Utilities Ver: 18.0.0 Installed: 11/16/2004
Norton WMI Update Ver: 2005.1.0.111 Installed: 11/16/2004
NSW_DRM_COLLECTION Ver: 1.0.0 Installed: 11/16/2004
PowerDVD 5.3
QuickTime
RealPlayer Basic
Shockwave Flash
SimCity 4 Deluxe
Sonic DLA Ver: 4.95 Installed: 11/15/2004
Sonic RecordNow! Ver: 7.3 Installed: 11/15/2004
Sonic Update Manager Ver: 2.9 Installed: 11/15/2004
Sound Blaster Live! 24-bit
SPBBC Ver: 1.00.0000 Installed: 11/16/2004
Spybot - Search & Destroy 1.3 Ver: 1.3
SpywareBlaster v3.2 Ver: 3.2.0
Symantec Network Drivers Update Ver: 5.4.4.17 Installed: 2/18/2005
Symantec Script Blocking Installer Ver: 11.0.2 Installed: 11/16/2004
SymNet Ver: 5.4.2.17 Installed: 11/16/2004
Viewpoint Media Player
WebFldrs XP Ver: 9.50.7523 Installed: 8/11/2004
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Ver: 9.00.3636 Installed: 11/15/2004
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB888310 Ver: 20041027.095746
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
WordPerfect Office 12 Ver: 12.0.0.238 Installed: 11/15/2004
Last edited by Jaguar; 19th February 2005 at 15:54.
You're right on! Download "Registry Search Tool" (RegSrch.vbs) from here http://www.billsway.com/vbspage/
start it and paste in bvydqakmc, wait, hit ok. Then when wordpad opens, copy that back here please
; Registry search results for string "bvydqakmc" 2/19/2005 1:38:32 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
You will need to turn off System Restore to purge the rogue files from your restore points. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.
Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\System32\bvydqakmc.exe
Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Copy the next filepath and paste it in the box, and repeat the above steps. When all of the below filepaths are done, close the Killbox.
Download and install Reglite. Open and copy/paste the following string in the address window then click go.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The forum format puts a space in the word current that you will need to edit out before clicking Go.
Right click the "bvydqakmc"="c:\\windows\\system32\\bvydqakmc.exe -start" value in the right pane and delete. Then copy/paste the following.
I had a problem with the killbox program. The computer locked up and I had to turn it off manually, then I ran RegSrch and RegLite again to kill the bvydqakmc instancances again, re-ran killbox and it seems to be working.
I still don't know about the money that USBI wants from me through SBC, I will post again after talking to them, but I don't see how I should be held liable for popups on my computer that I didn't ask for and took hours of work to be rid of, and probably my 11 years old daughter clicked on. Maybe I should bill them for my time working on this, say $120.00/hr, 12 hours, for a total of $1440.00. (If they pay I will donate it to SpyBot in noahdfear (Dave's) name )
Thanks for your help, the popups seem to have quit, here is my hjt log and if you see anything that needs attention.
Logfile of HijackThis v1.99.0
Scan saved at 6:40:59 PM, on 2/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Log looks good. Suggest you run an online virus scan with RAV. If any files are infected, click the report button then copy and paste it here. If it's clean, re-enable system restore and create a manual restore point.
Also recommend you check your firewall's activity logs (program access) and remove access to anything you don't recognize as valid. If unsure of anything, Google it or ask here.
I don't see Spybot's SDHelper.dll BHO in you last log. Open the folder where Spybot resides (usually C:\Progran Files\Spybot S&D) and see if the file is there. If not, get the zip file here, and extract the file to that folder. Then open Spybot and re-enable SDHelper. Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.
That will give you some added layers of protection against unwanted parasites
Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 326
My windows firewall (shoule I get ZoanAlarm, I only have a dial up connection) has some entries I am not sure about. Under the exceptions tab they are CoDUOMP, Microsoft DirectPlay8 Server, Peer Name Resoultion Protocall (PNRP), UPnP Framework, and Windows Peer-to-Peer Grouping. In the advanced tab, along with my ISP name, I have a checked box next to "access-to", and when the I click the Settings button, it has a list under the services tab with "Teredo" checked.
I had the Spybot resident program disabled during the last scan because of all the registar editing I was doing, I have since re-enabled it, along with the tea-timer. I also make sure the immunization is up to date and I have already set up the IE Tweaks as you discribe. I also keep Spyware Blaster up to date.
I don't have IESpyAd yet, but will DL it tomorrow. Again, thanks for your help and have a great day.
I have noticed that on the start menu, connect to, I have a new entry. Looks like the dialer that has charged my phone bill, called "access-to", and uses the modem to connect. The phone number is not given, only ********, but everything else looks like a normal dial up connection.
How would I go about getting rid of all traces of this, since it seems only deleting crapware doesn’t always do the job. Do you think there are more hooks in my computer that I need to delete to get rid of this "access-to" dialer?
Go into Show all connections and delete the new dial-up connection, if that's what it is. I would recommend you run RegSeeker to clean out the registry. Download and extract to it's own folder, open the program, maximize the window and click clean registry. When scan is complete,verify the backup box in lower left corner is checked and click the select all button. Then right click within the search results and select delete. Now do a quick check of your installed program's functionality. I've never had RegSeeker remove anything vital that it wasn't supposed to, but you never know. If all is well, run it again and again until it comes up clean, again checking other programs between runs. Should something go wrong, click the backup button and restore last run, then rerun and exclude entries associated with whatever it broke. Click the histories button and there are choices to clean up the start menu, typed URLs, TIFs you thought were gone, stream MRU keys, etc. Use them too, and do another clean registry. It probably wouldn't even be a bad idea to reboot and run again. Alot of work, but it does run relatively quickly so you're not looking at hours to do this.
If you do install a third party firewall, you will be prompted for internet access, at least once, by ANY program looking for it if you configure it to alert you. You will then be able to see from within the program, the filename and location of anything that has requested access. Make sure to disable the XP firewall if you use a third party.
(If they pay I will donate it to SpyBot in noahdfear (Dave's) name 
)
