spyware/adware problem

**bluesfear** · August 19th, 2004, 09:48 AM

i have a major spyware problem,i can seem to get rid of these 2 certain popups,they popup at certain sites. the url of the popups are kpremium.com which is kazaa and the other is something like winpopupblocker.com I'VE TRIED AD-AWARE,SPYBOT,and PESTPATROL,and they still continue to popup. when i scan with those 3 programs nothing shows up,it shows my computer is free of spyware. i'm guessing this is something like an unknown BHO,can anyone help

much thanks

note: these popups tend to only popup when i click a link on a page,it would popup and at the end of their url it would have words related to the page i am visiting
thanks again

**InTheWayBoy** · August 19th, 2004, 09:43 PM

Post a HijackThis log file...also, I'm sure you updated the scanners before scanning right?

**bluesfear** · August 19th, 2004, 11:01 PM

yea,their updated,heres the log

Logfile of HijackThis v1.98.2
Scan saved at 12:01:47 AM, on 8/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\key.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol hijack: mhtml -

**InTheWayBoy** · August 19th, 2004, 11:26 PM

Remove the follow...they look suspicious enough to be the culprit:

O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg

O18 - Protocol hijack: mhtml -

I would also suggest removin these for performance reasons...look through each one, but I can tell you that 99.9% of the features of the programs don't need these to be running at startup.

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

**bluesfear** · August 20th, 2004, 12:18 AM

no matter what i do the file:
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat

always appears up again after restart,i've tried deleting it in safe mode with command prompt and still it shows up

**NooNoo** · August 20th, 2004, 05:41 AM

Find the yek.dat and delete it - along with all the other temp files you have taking up space. Also check the key to which the bho refers in the registry....find all the associated keys and remove them after you have looked for and deleted the files to which they refer.

**jstut** · August 30th, 2004, 08:56 PM

?yek.dat? KISS here Noo-Noo.
I'm fighting through a similar (reappearing stuff).
Thanks.

**axeman88** · November 20th, 2004, 02:14 AM

Originally Posted by jstut

?yek.dat? KISS here Noo-Noo.
I'm fighting through a similar (reappearing stuff).
Thanks.

So have any of you found out how to remove this spyware/virus??

I too have this now.. I removed all the reg keys for it. it comes back..
It won't let you delete the yek.dat file that is in the temp folder. And it will not let you delete the key.exe file either.. I've tried removing them as admin & in safe mode. no dice.

It will let you delete the yek.ini file but it comes back in less than 30 seconds.
I've tried several virus chekers & they don't even see a virus. I've tried several adware programs & they don't see it either..

I've removed the reg keys with regedit. BUT they get put right back after reboot.. Interesting little bug..

Ithought this was something new.. BUT I see that your posts are dated in Aug.. of this year.. that's 3 months ago.. have any of you found out how to get rid of this ???

**jstut** · November 20th, 2004, 12:10 PM

Yes, actually got it fixed....you're right 3 months ago....let me look back.
I assume you have run a hijack this scan?
Anything awkward show up?
Naturally, checked your startup progs....I'll have to back-track a little.
Funny, because I have another machine I'm starting on next week with the exact same issues.
Make you a deal.....I'll keep you posted on progress....keep me posted as well.
" Something is loading the file" are you pretty comortable with your fire-wall? (Hardware/Software)?

**Zonie** · November 21st, 2004, 09:54 AM

Axeman88: Try This 30 free trial to clean your system. I have used it on a lot of PC's that have been infected with Internet virus. It works good for me.

**axeman88** · November 21st, 2004, 01:54 PM

Originally Posted by jstut

Yes, actually got it fixed....you're right 3 months ago....let me look back.
I assume you have run a hijack this scan?
Anything awkward show up?
Naturally, checked your startup progs....I'll have to back-track a little.
Funny, because I have another machine I'm starting on next week with the exact same issues.
Make you a deal.....I'll keep you posted on progress....keep me posted as well.
" Something is loading the file" are you pretty comortable with your fire-wall? (Hardware/Software)?

Yea I did hijack this..

Logfile of HijackThis v1.98.1
Scan saved at 1:40:24 PM, on 11/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\Config\key.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\download\progtools\freeram\FreeRAM XP Pro 1.40.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\downloads\HijackThis.exe

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\Robert\LOCALS~1\Temp\yek.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [*key] C:\WINDOWS\Config\key.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\RunOnce: [*key] C:\WINDOWS\Config\key.exe rerun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FreeRAM XP] "F:\download\progtools\freeram\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Probe V2.19.07.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000

As you can see the key. exe is in there. I removed it with hijackthis but it comes back. I ran spybot, AVG, Ad-Aware, Trend Vcleaner.. Nothing found with any of them. I found the location of all files. Yes I know which files in the log to remove.. Problem is they just come back. I posted this so you could see the files for yourself.

c:\windows\config
has key.exe, yek.ini, yek1.bak & yek2.bak.

I can delete the .bak files. I can delete the ini file BUT it comes right back in 30 secs or less. the key.exe file you can not delete. In taskman you can try to stop the process but it just comes back.

C:\Documents and Settings\Robert\Local Settings\Temp
there is yek.dat
it won't let you delete it either.

Now I found the files with regedit & removed the keys with the key.exe in it as well as the yek.dat. BUT it keeps coming back!!

I've tried in safe mode as administrator & you can not stop the process there either. therefore you can not delete the key.exe file.. I'm pretty sure that key.exe is what is replacing it all. That or the yek.dat.. BUT as admin as was able to delete yek.dat.. SO I am almost positive it is the key.exe file that is replacing everything..

I tried finding info at several anti-virus company sites.. BUT they don't have anything listed under yek or key.exe

In fact this is the first place I have found..

Just for background purposes, I am a A+ Computer tech/ast.network admin. 18 yrs expeirence. I've removed every kind of bug, worm & virus known to the PC community.. this one has become a pain in my backside! So any ideas would be cool..

**axeman88** · November 21st, 2004, 01:59 PM

Originally Posted by Zonie

Axeman88: Try This 30 free trial to clean your system. I have used it on a lot of PC's that have been infected with Internet virus. It works good for me.

I'm downloading it now.. I'll give it a try.. BUT all the other stuff I have usually works fine..
I have pc bug dr. too.

**NooNoo** · November 21st, 2004, 05:40 PM

www.emsisoft.com a-squared should get that.

**axeman88** · November 21st, 2004, 11:40 PM

Originally Posted by NooNoo

www.emsisoft.com a-squared should get that.

Great, I'll download it now..

Willing to try anything once ..

**axeman88** · November 22nd, 2004, 12:31 AM

Originally Posted by NooNoo

www.emsisoft.com a-squared should get that.

well I give a-squared high marks.. It at least found the files & named them for what they are.. a virus.. It even let me remove them.. BUT it didn't remove the key.exe file in the C:\windows\config folder which is part of the virus..

Guess what? They all came back again.. I just ran a 2nd scan with a-squared & it detected them again.. endless circle here..

It names the files as a trojanspy.win32.agent.l
(last letter is a i or an L. Not sure which)

It also found a spyware.win32.gamespy.downloader

BUT I'm right back where I started from again..

EXCEPT now i have a virus name to go with it..

*** Update***
Here is the report a-squared gave:

a² Report
Filename Diagnosis
C:\Documents and Settings\Robert\Local Settings\Temp\yek.dat TrojanSpy.Win32.Agent.l

I sent the repot to A-squared..

Maybe they will have an idea?