1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

another pop ups zipzap promos.com

Discussion in 'Malware and Virus Removal Archive' started by s00p, 2005/02/06.

Thread Status:
Not open for further replies.
  1. 2005/02/09
    s00p

    s00p Inactive Thread Starter

    Joined:
    2005/02/06
    Messages:
    16
    Likes Received:
    0
    And the Instant Access search:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Instant Access]

    I downloaded Microsoft AntiSpyware. It found all the things that everyone's been talking about: the Instant Access, E-Group, EUniverse, and Help Express. Hopefully, the things that it caught are enough to prevent the popups.

    The list programs no longer reveals the 'Instant Access' entry.

    Well, I'll try a restart/connect to the internet (the popups have only been occuring withing the first few sites).

    Heres the process log, we'll see if we need it...
    DPCs n/a 4.55 Deferred Procedure Calls
    System 4
    smss.exe 384 Windows NT Session Manager Microsoft Corporation
    csrss.exe 440 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 464 Windows NT Logon Application Microsoft Corporation
    services.exe 508 1.52 Services and Controller app Microsoft Corporation
    svchost.exe 664 Generic Host Process for Win32 Services Microsoft Corporation
    msnmsgr.exe 3636 Messenger Microsoft Corporation
    gcasDtServ.exe 3340 Microsoft AntiSpyware Data Service Microsoft Corporation
    gcasServ.exe 3336 Microsoft AntiSpyware Service Microsoft Corporation
    GIANTAntiSpywareMain.exe 1216 Microsoft AntiSpyware Main Microsoft Corporation
    msmsgs.exe 3368 Windows Messenger Microsoft Corporation
    svchost.exe 744 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 808 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 860 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 908 Generic Host Process for Win32 Services Microsoft Corporation
    spoolsv.exe 1004 Spooler SubSystem App Microsoft Corporation
    CCSETMGR.EXE 1100 Common Client Settings Manager Service Symantec Corporation
    cisvc.exe 1120 Content Index service Microsoft Corporation
    cidaemon.exe 2224 Indexing Service filter daemon Microsoft Corporation
    mdm.exe 1164 Machine Debug Manager Microsoft Corporation
    NAVAPSVC.EXE 1184 Norton AntiVirus Auto-Protect Service Symantec Corporation
    nvsvc32.exe 1244 NVIDIA Driver Helper Service, Version 66.93 NVIDIA Corporation
    retrorun.exe 1268 Retrospect Launcher Dantz Development Corporation
    symlcsvc.exe 1348 Symantec Core Component Symantec Corporation
    CCEVTMGR.EXE 1388 Common Client Event Manager Service Symantec Corporation
    symwsc.exe 1564 Norton Security Center Service Symantec Corporation
    SAVSCAN.EXE 1784 Symantec AntiVirus Scanner Symantec Corporation
    alg.exe 1812 Application Layer Gateway Service Microsoft Corporation
    iPodService.exe 2280 iPodService Module Apple Computer, Inc.
    lsass.exe 520 LSA Shell (Export Version) Microsoft Corporation
    explorer.exe 616 Windows Explorer Microsoft Corporation
    Directcd.exe 1996 DirectCD Application Roxio
    devldr32.exe 2068 DevLdr32 Creative Technology Ltd.
    EM_EXEC.EXE 2088 Control Center Logitech Inc.
    ComboButton.exe 2124 Maxtor OneTouch Detection Maxtor Corp.
    MXOALDR.EXE 2172 Maxtor MXO Auto Loader Application Cypress Semiconductor
    CCAPP.EXE 2184 Common Client User Session Symantec Corporation
    iTunesHelper.exe 2212 iTunesHelper Module Apple Computer, Inc.
    tca.exe 2564 The Cleaner Active Process Monitor MooSoft Development
    tcm.exe 2608 The Cleaner Registry and File Monitor MooSoft Development
    ctfmon.exe 2616 CTF Loader Microsoft Corporation
    steam.exe 2624 Steam Valve Corporation
    msn6.exe 3588 msn Microsoft Corporation
    iexplore.exe 2792 Internet Explorer Microsoft Corporation
    RegSearch.exe 4084 Registry searcher SteelWerX
    procexp.exe 2712 6.06 Sysinternals Process Explorer Sysinternals
     
  2. 2005/02/09
    s00p

    s00p Inactive Thread Starter

    Joined:
    2005/02/06
    Messages:
    16
    Likes Received:
    0
    Dang, still getting popups.
     

  3. to hide this advert.

  4. 2005/02/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That's good news. :) Would you please post the scan log from MS Antispyware, or email it to me.

    Run another HJT scan and let me know if this entry is present.
    O4 - HKLM\..\Run:[bzdqir] c:\\windows\\system32\\bzdqir.exe -start

    Did you search for egdaccess_1057.dll with RegSearch?
     
  5. 2005/02/10
    s00p

    s00p Inactive Thread Starter

    Joined:
    2005/02/06
    Messages:
    16
    Likes Received:
    0
    Well, I have some great news. It appears that bzdqir is the file were looking for. It starts up upon opening internet explorer. I blocked it with Microsoft Antispyware. Now, I forget if this Zipzap thing is triggered per internet session (I have dialup) or per account login. But, if it's per session, then we are gold, Jerry. Gold!
    Anyway, is there anything you've heard about bzdqir.exe to indicate that it isn't the program? By the way, I sent an email, but it's from my hotmail account (not the msn one I'm logged in as). Thanks for all the help!
     
  6. 2005/02/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That is great news. :) I got the email, thanks.

    Download: supershell.zip
    http://p-nand-q.com/download/tools/supershell.zip

    Unzip supershell.zip to it's own folder.

    Make sure you are logged in under an Administrator account.
    (or are a user with Administrator privledges)
    Open the unzipped SuperShell folder.
    Double-click (launch) SuperShell.exe.

    This will launch a Command Prompt window.
    Type regedit and press ENTER to open the registry editor.

    Click Edit on the toolbar and paste the following:

    bzdqir

    Click Find Now, once located, right-click the entry and select: Delete (Ok the prompt).

    If it's a key, delete the key in the left pane, as in this location;
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bzdqir]

    If it's a value data, just delete the value in the right pane, as in this one;
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "bzdqir "= "c:\\windows\\system32\\bzdqir.exe -start "

    Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

    Close REGEDIT and then in SuperShell type EXIT and press ENTER.

    Use the Pocket Killbox to delete this file.
    C:\Windows\System32\bzdqir.exe

    Post one more HJT log.
     
  7. 2005/02/12
    s00p

    s00p Inactive Thread Starter

    Joined:
    2005/02/06
    Messages:
    16
    Likes Received:
    0
    Instant Access almost made its way back on the computer. I was downloading a large file, and just left it downloading. Coming back an hour later, there was one of those security popups: "Instant Access Is Installing on your Computer! Stop?" I think I was a little bit late to prevent that, lol. So I did a scan and it got the newly installed files.

    But, it looks as if you got it. I haven't had a popup yet. I'm gonna try a couple more tests (reboot and see if bzdqir.exe still exists). I couldn't delete bzdqir.exe normally, so I deleted on reboot. I also fixed the 04 registry key, and found a ton more in the registry using the Find option. Antispyware got the rest of the .dll's and keys we were talking about.

    Anyway, I'll write back in another half hour or so.
     
  8. 2005/02/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Some recommendations that should help block that nasty;

    Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
    Then download and install IESpyad.
     
  9. 2005/02/12
    s00p

    s00p Inactive Thread Starter

    Joined:
    2005/02/06
    Messages:
    16
    Likes Received:
    0
    Well, no popups have appeared after multiple restarts and downloads of the links you gave me! I've thought a lot about the responcibilities of the internet in the time that I've had the virus, and learned a lot along the way!

    It isn't Microsoft's responcibility to help attack spyware and what one downloads. Nonetheless, they have issued a great deal of security measures. The programs I've downloaded wouldn't exist if the programmers hadn't taken all the time to create them, and if they decided they didn't care. Finally, it isn't necessary for you to help so many people each day! Yet, all of you do it and do a great job of it. I'm grateful for all the help you've given me, thanks very much.
     
  10. 2005/02/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Happy to help. Thanks for posting back. :)
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.