another pop ups zipzap promos.com

And the Instant Access search:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Instant Access]

I downloaded Microsoft AntiSpyware. It found all the things that everyone's been talking about: the Instant Access, E-Group, EUniverse, and Help Express. Hopefully, the things that it caught are enough to prevent the popups.

The list programs no longer reveals the 'Instant Access' entry.

Well, I'll try a restart/connect to the internet (the popups have only been occuring withing the first few sites).

Heres the process log, we'll see if we need it...
DPCs n/a 4.55 Deferred Procedure Calls
System 4
smss.exe 384 Windows NT Session Manager Microsoft Corporation
csrss.exe 440 Client Server Runtime Process Microsoft Corporation
winlogon.exe 464 Windows NT Logon Application Microsoft Corporation
services.exe 508 1.52 Services and Controller app Microsoft Corporation
svchost.exe 664 Generic Host Process for Win32 Services Microsoft Corporation
msnmsgr.exe 3636 Messenger Microsoft Corporation
gcasDtServ.exe 3340 Microsoft AntiSpyware Data Service Microsoft Corporation
gcasServ.exe 3336 Microsoft AntiSpyware Service Microsoft Corporation
GIANTAntiSpywareMain.exe 1216 Microsoft AntiSpyware Main Microsoft Corporation
msmsgs.exe 3368 Windows Messenger Microsoft Corporation
svchost.exe 744 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 808 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 860 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 908 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1004 Spooler SubSystem App Microsoft Corporation
CCSETMGR.EXE 1100 Common Client Settings Manager Service Symantec Corporation
cisvc.exe 1120 Content Index service Microsoft Corporation
cidaemon.exe 2224 Indexing Service filter daemon Microsoft Corporation
mdm.exe 1164 Machine Debug Manager Microsoft Corporation
NAVAPSVC.EXE 1184 Norton AntiVirus Auto-Protect Service Symantec Corporation
nvsvc32.exe 1244 NVIDIA Driver Helper Service, Version 66.93 NVIDIA Corporation
retrorun.exe 1268 Retrospect Launcher Dantz Development Corporation
symlcsvc.exe 1348 Symantec Core Component Symantec Corporation
CCEVTMGR.EXE 1388 Common Client Event Manager Service Symantec Corporation
symwsc.exe 1564 Norton Security Center Service Symantec Corporation
SAVSCAN.EXE 1784 Symantec AntiVirus Scanner Symantec Corporation
alg.exe 1812 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 2280 iPodService Module Apple Computer, Inc.
lsass.exe 520 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 616 Windows Explorer Microsoft Corporation
Directcd.exe 1996 DirectCD Application Roxio
devldr32.exe 2068 DevLdr32 Creative Technology Ltd.
EM_EXEC.EXE 2088 Control Center Logitech Inc.
ComboButton.exe 2124 Maxtor OneTouch Detection Maxtor Corp.
MXOALDR.EXE 2172 Maxtor MXO Auto Loader Application Cypress Semiconductor
CCAPP.EXE 2184 Common Client User Session Symantec Corporation
iTunesHelper.exe 2212 iTunesHelper Module Apple Computer, Inc.
tca.exe 2564 The Cleaner Active Process Monitor MooSoft Development
tcm.exe 2608 The Cleaner Registry and File Monitor MooSoft Development
ctfmon.exe 2616 CTF Loader Microsoft Corporation
steam.exe 2624 Steam Valve Corporation
msn6.exe 3588 msn Microsoft Corporation
iexplore.exe 2792 Internet Explorer Microsoft Corporation
RegSearch.exe 4084 Registry searcher SteelWerX
procexp.exe 2712 6.06 Sysinternals Process Explorer Sysinternals

 

Dang, still getting popups.

 

That's good news. Would you please post the scan log from MS Antispyware, or email it to me.

Run another HJT scan and let me know if this entry is present.
O4 - HKLM\..\Run:[bzdqir] c:\\windows\\system32\\bzdqir.exe -start

Did you search for egdaccess_1057.dll with RegSearch?

 

Well, I have some great news. It appears that bzdqir is the file were looking for. It starts up upon opening internet explorer. I blocked it with Microsoft Antispyware. Now, I forget if this Zipzap thing is triggered per internet session (I have dialup) or per account login. But, if it's per session, then we are gold, Jerry. Gold!
Anyway, is there anything you've heard about bzdqir.exe to indicate that it isn't the program? By the way, I sent an email, but it's from my hotmail account (not the msn one I'm logged in as). Thanks for all the help!

 

That is great news. I got the email, thanks.

Download: supershell.zip
http://p-nand-q.com/download/tools/supershell.zip

Unzip supershell.zip to it's own folder.

Make sure you are logged in under an Administrator account.
(or are a user with Administrator privledges)
Open the unzipped SuperShell folder.
Double-click (launch) SuperShell.exe.

This will launch a Command Prompt window.
Type regedit and press ENTER to open the registry editor.

Click Edit on the toolbar and paste the following:

bzdqir

Click Find Now, once located, right-click the entry and select: Delete (Ok the prompt).

If it's a key, delete the key in the left pane, as in this location;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bzdqir]

If it's a value data, just delete the value in the right pane, as in this one;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bzdqir "= "c:\\windows\\system32\\bzdqir.exe -start "

Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

Close REGEDIT and then in SuperShell type EXIT and press ENTER.

Use the Pocket Killbox to delete this file.
C:\Windows\System32\bzdqir.exe

Post one more HJT log.

 

Instant Access almost made its way back on the computer. I was downloading a large file, and just left it downloading. Coming back an hour later, there was one of those security popups: "Instant Access Is Installing on your Computer! Stop?" I think I was a little bit late to prevent that, lol. So I did a scan and it got the newly installed files.

But, it looks as if you got it. I haven't had a popup yet. I'm gonna try a couple more tests (reboot and see if bzdqir.exe still exists). I couldn't delete bzdqir.exe normally, so I deleted on reboot. I also fixed the 04 registry key, and found a ton more in the registry using the Find option. Antispyware got the rest of the .dll's and keys we were talking about.

Anyway, I'll write back in another half hour or so.

 

Some recommendations that should help block that nasty;

Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

 

Well, no popups have appeared after multiple restarts and downloads of the links you gave me! I've thought a lot about the responcibilities of the internet in the time that I've had the virus, and learned a lot along the way!

It isn't Microsoft's responcibility to help attack spyware and what one downloads. Nonetheless, they have issued a great deal of security measures. The programs I've downloaded wouldn't exist if the programmers hadn't taken all the time to create them, and if they decided they didn't care. Finally, it isn't necessary for you to help so many people each day! Yet, all of you do it and do a great job of it. I'm grateful for all the help you've given me, thanks very much.

 

Happy to help. Thanks for posting back.