Help with removal of Zip Zap PopUp's

Background
I am trying to help my 80+ year old father-in-law (FIL) in Florida delete Zip Zap popup ads and the associated automatic dialer, Instant Access on his computer. It appears the latter dials into a very expensive 900 number. When I tried to remove Instant Access via the Control Panel "Add or Remove software" I as lead to a website asking me to download a special "uninstall program ". I am too knowledgeable and cautious to do same, so I reseached the subject further.

My research via Google on the Zip Zap problem lead me to your site. I have registered today as a new member from my FIL computer but intend to use my membership on my own Windows based PC's when I return home. While I am an intermediate experienced computer person there is much I don't know. Thus I am not sure what IP address you received when I registered - my FIL PC on which I am registered as a guest or the address that is associated with my email. My only reason for offering this information is to inform you of the circumstances and my ignorance on the subject.

Question
When I perform the steps of your advice do I need to be using an account with Administrator privileges?

Initial Step
As a result of reading other WBBS posts, I have posted below the "List Installed Programs" installed on my FIL PC and a "HJT" listing. It appears from reviewing other posts on this subject that the solutions to this problem vary. I have also run FixVundo from Symantec. The report was that the Trojan is not present. I have tried to eradicate the problem with SpyBot and Ad-Aware SE without success. The problem seems to return after starting IE.

Since this is my first experience with this process I will await your advice on how to eliminate Zip Zap popups and the "Instant Access" Dialer on this PC for my father-in-law.

INSTALLED SOFTWARE (51) - ART-HI8XAUPU3T3 - 3/3/2005 10:47:27 PM

Ad-aware 6 Personal
Ad-Aware SE Personal
Adobe Acrobat 4.0 Ver: 4.0
Adobe ActiveShare 1.2
Adobe Download Manager 1.2 (Remove Only)
Adobe PhotoDeluxe Home Edition 4.0 Ver: 4.0
Adobe Photoshop Elements Ver: 1.0
Adobe SVG Viewer Ver: 1.0
ArcSoft Software Suite
Backup Dell-Installed Programs Ver: 2.01.0000 Installed: 8/30/2004
BellSouth Accelerator Technology
Google Toolbar for Internet Explorer
HijackThis 1.99.1 Ver: 1.99.1
hp deskjet 825c series (Remove only)
LiveReg (Symantec Corporation) Ver: 2.2.0.1621
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Microsoft Encarta Encyclopedia Standard 2002 Ver: 2002 Installed: 7/29/2003
Microsoft Office XP Professional with FrontPage Ver: 10.0.2627.0 Installed: 8/3/2003
Microsoft Picture It! Photo 2002 Ver: 6.0.0.0000 Installed: 7/29/2003
Microsoft Streets and Trips 2002 Ver: 9.00.17.0200 Installed: 7/29/2003
Nikon View 6
Norton CleanSweep
Norton Speed Disk 7.0 for Windows NT
Norton SystemWorks 2003 Ver: 6.0.0 Installed: 12/30/2003
Norton Utilities 2003 for Windows
Norton WMI Update Ver: 2005.1.2.20 Installed: 11/19/2004
Shockwave Flash
skoxrpcb
Spybot - Search & Destroy 1.3 Ver: 1.3
Symantec Network Drivers Update Ver: 5.4.4.17 Installed: 2/10/2005
The Print Shop Brochures, Newsletters and More!
Turbo Lister Ver: 1.4.1.0 Installed: 9/21/2003
Turbo Lister Ver: 1.4.1.0 Installed: 9/21/2003
WebFldrs XP Ver: 9.50.5318 Installed: 5/2/2003
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319


Logfile of HijackThis v1.99.1
Scan saved at 10:45:50 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\All Users\Documents\Fix ZipZap\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [skoxrpcb] c:\windows\system32\skoxrpcb.exe -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1039_pack_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) - http://download.fbmsoftware.com/downloads/zerospyware/freescan/zsfreescan.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1047_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A4EBD5-C33B-4E3F-9B9D-09A92DDB7FCD}: NameServer = 205.152.144.235 205.152.37.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{28A4EBD5-C33B-4E3F-9B9D-09A92DDB7FCD}: NameServer = 205.152.144.235 205.152.37.254
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Welcome to WindowsBBS chetonbbs

This is actually the first time I have seen the bad guy present in a HJT log, so will save you a few steps (I hope). Did you run this scan in safe mode? If so, do the new one from within Windows, please.

Scan again with HijackThis and place a check next to the following remaining entries. Close ALL other windows and click fix.

O4 - HKLM\..\Run: [skoxrpcb] c:\windows\system32\skoxrpcb.exe -start
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...039_pack_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) - http://download.fbmsoftware.com/dow.../zsfreescan.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binari...ICE_1047_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. (you can use F8 if you prefer)

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Open C:\WINDOWS\system32 and delete the files skoxrpcb.exe, EGDACCESS_1057.dll and EGDACCESS_1057.inf.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

You should be now be able to remove the Instant Access and skoxrpcb entries in Add/Remove if present.

 

Hi Dave, Here are my comments and the results of the RAV and HJT scans


“This is actually the first time I have seen the bad guy present in a HJT log, so will save you a few steps (I hope). Did you run this scan in safe mode? No If so, do the new one from within Windows, please. Did itâ€

Ran HJT, checked and fixed

After Safe boot and show hidden files

Open C:\WINDOWS\system32 and delete the files skoxrpcb.exe, This latter file not present - found and left in place: skoxrpcb.dat, then deleted EGDACCESS_1057.dll, also found but left EGDACCESS.dll and EGDACCESS_1057.inf.This latter file was not present.

Found and deleted files as requested
Rebooted
Received error message: "Error Loading EGDACCESS_1057.dll The specified module could not be foundâ€

Rav Scan
RAV Engine: 8.11
Virus Signatures: 113811
Last Update: Wednesday, March 02, 2005 10:26:41

Scan started at 3/4/2005 1:40:26 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\djjfdddjd.exe - Trojan:Win32/IEZones.A -> Infected
C:\WINDOWS\system32\netia32.dll - Trojan:Win32/Trilon.A -> Infected
C:\WINDOWS\system32\TFTP3076 - Backdoor:Win32/Rbot.dam#2 -> Infected
C:\WINDOWS\system32\svchosting.exe - Backdoor:IRC/SdBot.dam#2 -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WS8JFFAY\bean[1].exe - Trojan:Win32/IEZones.A -> Infected
C:\Documents and Settings\All Users\Documents\Fix ZipZap\HiJackThis\hijackthis\backups\backup-20050304-001619-277.dll - TrojanDownloader:Win32/Wintrim.BB -> Infected

Scanned
============================
Objects: 27952
Directories: 2312
Archives: 936
Size(Kb): 587186
Infected files: 6

Found
============================
Viruses found: 5
Suspicious files: 0
Disinfected files: 0
Mail files: 140

HJT Scan
Logfile of HijackThis v1.99.1
Scan saved at 2:10:52 AM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\All Users\Documents\Fix ZipZap\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [skoxrpcb] c:\windows\system32\skoxrpcb.exe -start
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ??? \WkDetect.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O4 - HKCU\..\RunServices: [Video Process] aouhmqb.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1039_pack_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) - http://download.fbmsoftware.com/downloads/zerospyware/freescan/zsfreescan.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1047_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A4EBD5-C33B-4E3F-9B9D-09A92DDB7FCD}: NameServer = 205.152.144.235 205.152.37.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{28A4EBD5-C33B-4E3F-9B9D-09A92DDB7FCD}: NameServer = 205.152.144.235 205.152.37.254
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Because skoxrpcb.exe is shown in the HJT data above, I rebooted in Safe mode and searched for the file in c:\windows\system32 and in all files including safe, hidden and system files but the search function could not find it. It did find skoxrpcb.dat. This .*exe file is hiding somewhere.

Thanks for your help. I will resume working on this after some sleep. Probably around 9 Am 3/4/04 I will check back.

The Popup Ads have not appeared today (3/4/04) inspite of running IE all day. Good sign - I hope @10:56 PM 3/4/05

Instant Access is no longer on the Add or Remove Programs list. Also, skoxrpcb is on the Add or remove program list. When I selected skoxrpcb and clicked on the "change or remove" button I received the following message in an "Uninstaller Error" dialogue box. It read, "An error occurred while trying to remove skoxrpcb. It may already have been uninstalled. Would you like to remove skoxrpcb from the Add or Remove program list? I answered no so it is still on the list. What is your advise?

 

Lets play it safe and do the usual steps for removing this, since some of the entries re-appeared and files were not found.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\skoxrpcb.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Copy the next filepath and paste it in the box, and repeat the above steps. When all of the below filepaths are done, close the Killbox.

C:\WINDOWS\Downlo~1\EGDACCESS.inf
C:\WINDOWS\system32\EGDACCESS_1057.dll



Download and install Reglite.


Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O4 - HKLM\..\Run: [skoxrpcb] c:\windows\system32\skoxrpcb.exe -start
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O4 - HKCU\..\RunServices: [Video Process] aouhmqb.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...039_pack_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binari...ICE_1047_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab

Click the config button in HijackThis, then backups. Select all and delete. Close HJT.

Reboot to safe mode, showing hidden files.


Open RegLite and copy/paste the following string in the address window then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The forum format puts a space in the word current that you will need to edit out before clicking Go.

Right click the "skoxrpcb "= "c:\\windows\\system32\\skoxrpcb.exe -start" value in the right pane and delete. Then copy/paste the following.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\skoxrpcb

Right click the skoxrpcb key in the left pane and delete.

Exit Reglite.


Search for and delete the files w32usb2.exe and aouhmqb.exe if found.
Find skoxrpcb.dat and EGDACCESS.dll again, delete them.
Open Local Disk C: and delete the file djjfdddjd.exe
Open C:\WINDOWS\system32 and delete the files netia32.dll, TFTP3076 and svchosting.exe
Open C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.

Empty the recycle bin.

Reboot back to windows.

Run another HijackThis scan and post the log.

 

Back to Home in New England

Hi Dave,

I have returned to my home in New England. My 80+ year old father in law is not experienced enough to carry out the instructions in your last post. I need to contact my FIL grandson-in-law who is computer savvy to see if he can finish the job as you advised. This will probably take a few days possibly more than a week.

If zip zap does not reappear on FIL PC which, if any, of your last post would you say are critical or can they wait a few days/weeks?

Thanks for your help. You have been terrific and I plan on joining WBBS as a contributing member.

Chet

 

I would suggest someone follow up those instructions ASAP.

 

No one available to followup

Dear Noah,

My grandfather has not been able to find anyone to followup. He is not fortunately having any problems with zip zap pop up's. I think we should close this out for now. I do not know when I will return to FL to help. My suggestion is that I start anew when I do return to FL. What do you think? Thanks for all your help.

Chetonbbs

 

That's a shame he's unable to find someone to help. Yes, you'll need to start over again when you get to it. I would encourage as little internet access as possible until it gets cleaned up. If Instant Access/Zipzppromos is still active, it may be doing like many others report and connecting to a site that adds charges to his phone bill.

 

Thanks

Noah, Thanks and I will keep a long distance eye on the situation. Chetonbbs