spyware/adware problem

i have a major spyware problem,i can seem to get rid of these 2 certain popups,they popup at certain sites. the url of the popups are kpremium.com which is kazaa and the other is something like winpopupblocker.com I'VE TRIED AD-AWARE,SPYBOT,and PESTPATROL,and they still continue to popup. when i scan with those 3 programs nothing shows up,it shows my computer is free of spyware. i'm guessing this is something like an unknown BHO,can anyone help

much thanks

note: these popups tend to only popup when i click a link on a page,it would popup and at the end of their url it would have words related to the page i am visiting
thanks again

Post a HijackThis log file...also, I'm sure you updated the scanners before scanning right?

yea,their updated,heres the log

Logfile of HijackThis v1.98.2
Scan saved at 12:01:47 AM, on 8/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\key.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol hijack: mhtml -

Remove the follow...they look suspicious enough to be the culprit:

O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg

O18 - Protocol hijack: mhtml -




I would also suggest removin these for performance reasons...look through each one, but I can tell you that 99.9% of the features of the programs don't need these to be running at startup.

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

no matter what i do the file:
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat

always appears up again after restart,i've tried deleting it in safe mode with command prompt and still it shows up

Find the yek.dat and delete it - along with all the other temp files you have taking up space. Also check the key to which the bho refers in the registry....find all the associated keys and remove them after you have looked for and deleted the files to which they refer.

?yek.dat? KISS here Noo-Noo.
I'm fighting through a similar (reappearing stuff).
Thanks.

Quote:

---

Originally Posted by jstut

?yek.dat? KISS here Noo-Noo.
I'm fighting through a similar (reappearing stuff).
Thanks.

---

So have any of you found out how to remove this spyware/virus??

I too have this now.. I removed all the reg keys for it. it comes back..
It won't let you delete the yek.dat file that is in the temp folder. And it will not let you delete the key.exe file either.. I've tried removing them as admin & in safe mode. no dice.

It will let you delete the yek.ini file but it comes back in less than 30 seconds.
I've tried several virus chekers & they don't even see a virus. I've tried several adware programs & they don't see it either..

I've removed the reg keys with regedit. BUT they get put right back after reboot.. Interesting little bug..

Ithought this was something new.. BUT I see that your posts are dated in Aug.. of this year.. that's 3 months ago.. have any of you found out how to get rid of this ???

Yes, actually got it fixed....you're right 3 months ago....let me look back.
I assume you have run a hijack this scan?
Anything awkward show up?
Naturally, checked your startup progs....I'll have to back-track a little.
Funny, because I have another machine I'm starting on next week with the exact same issues.
Make you a deal.....I'll keep you posted on progress....keep me posted as well.
" Something is loading the file" are you pretty comortable with your fire-wall? (Hardware/Software)?

Axeman88: Try This 30 free trial to clean your system. I have used it on a lot of PC's that have been infected with Internet virus. It works good for me.

Quote:

---

Originally Posted by jstut

Yes, actually got it fixed....you're right 3 months ago....let me look back.
I assume you have run a hijack this scan?
Anything awkward show up?
Naturally, checked your startup progs....I'll have to back-track a little.
Funny, because I have another machine I'm starting on next week with the exact same issues.
Make you a deal.....I'll keep you posted on progress....keep me posted as well.
" Something is loading the file" are you pretty comortable with your fire-wall? (Hardware/Software)?

---

Yea I did hijack this..

Logfile of HijackThis v1.98.1
Scan saved at 1:40:24 PM, on 11/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\Config\key.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\download\progtools\freeram\FreeRAM XP Pro 1.40.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\downloads\HijackThis.exe

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\Robert\LOCALS~1\Temp\yek.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [*key] C:\WINDOWS\Config\key.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\RunOnce: [*key] C:\WINDOWS\Config\key.exe rerun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FreeRAM XP] "F:\download\progtools\freeram\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Probe V2.19.07.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000

As you can see the key. exe is in there. I removed it with hijackthis but it comes back. I ran spybot, AVG, Ad-Aware, Trend Vcleaner.. Nothing found with any of them. I found the location of all files. Yes I know which files in the log to remove.. Problem is they just come back. I posted this so you could see the files for yourself. ;)

c:\windows\config
has key.exe, yek.ini, yek1.bak & yek2.bak.

I can delete the .bak files. I can delete the ini file BUT it comes right back in 30 secs or less. the key.exe file you can not delete. In taskman you can try to stop the process but it just comes back.

C:\Documents and Settings\Robert\Local Settings\Temp
there is yek.dat
it won't let you delete it either.

Now I found the files with regedit & removed the keys with the key.exe in it as well as the yek.dat. BUT it keeps coming back!!

I've tried in safe mode as administrator & you can not stop the process there either. therefore you can not delete the key.exe file.. I'm pretty sure that key.exe is what is replacing it all. That or the yek.dat.. BUT as admin as was able to delete yek.dat.. SO I am almost positive it is the key.exe file that is replacing everything..

I tried finding info at several anti-virus company sites.. BUT they don't have anything listed under yek or key.exe

In fact this is the first place I have found..

Just for background purposes, I am a A+ Computer tech/ast.network admin. 18 yrs expeirence. I've removed every kind of bug, worm & virus known to the PC community.. this one has become a pain in my backside! So any ideas would be cool.. ;)

Quote:

---

Originally Posted by Zonie

Axeman88: Try This 30 free trial to clean your system. I have used it on a lot of PC's that have been infected with Internet virus. It works good for me.

---

I'm downloading it now.. I'll give it a try.. BUT all the other stuff I have usually works fine..
I have pc bug dr. too.

www.emsisoft.com a-squared should get that.

Quote:

---

Originally Posted by NooNoo

www.emsisoft.com a-squared should get that.

---

Great, I'll download it now.. ;)
Willing to try anything once ..

Quote:

---

Originally Posted by NooNoo

www.emsisoft.com a-squared should get that.

---

well I give a-squared high marks.. It at least found the files & named them for what they are.. a virus.. It even let me remove them.. BUT it didn't remove the key.exe file in the C:\windows\config folder which is part of the virus.. :(

Guess what? They all came back again.. I just ran a 2nd scan with a-squared & it detected them again.. endless circle here..

It names the files as a trojanspy.win32.agent.l
(last letter is a i or an L. Not sure which)

It also found a spyware.win32.gamespy.downloader

BUT I'm right back where I started from again.. :(
EXCEPT now i have a virus name to go with it.. :)


*** Update***
Here is the report a-squared gave:

a² Report
Filename Diagnosis
C:\Documents and Settings\Robert\Local Settings\Temp\yek.dat TrojanSpy.Win32.Agent.l


I sent the repot to A-squared.. ;)
Maybe they will have an idea?

Quote:

---

Originally Posted by axeman88

well I give a-squared high marks.. It at least found the files & named them for what they are.. a virus.. It even let me remove them.. BUT it didn't remove the key.exe file in the C:\windows\config folder which is part of the virus.. :(

Guess what? They all came back again.. I just ran a 2nd scan with a-squared & it detected them again.. endless circle here..

It names the files as a trojanspy.win32.agent.l
(last letter is a i or an L. Not sure which)

It also found a spyware.win32.gamespy.downloader

BUT I'm right back where I started from again.. :(
EXCEPT now i have a virus name to go with it.. :)

---

Did you try "The Cleaner" as I suggested? I have had these on some of my clients and this worked in removing them.

Quote:

---

Originally Posted by axeman88

Yea I did hijack this..

Logfile of HijackThis v1.98.1
Scan saved at 1:40:24 PM, on 11/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\Config\key.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\download\progtools\freeram\FreeRAM XP Pro 1.40.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\downloads\HijackThis.exe

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\Robert\LOCALS~1\Temp\yek.dat

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [*key] C:\WINDOWS\Config\key.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\RunOnce: [*key] C:\WINDOWS\Config\key.exe rerun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FreeRAM XP] "F:\download\progtools\freeram\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Probe V2.19.07.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000

As you can see the key. exe is in there. I removed it with hijackthis but it comes back. I ran spybot, AVG, Ad-Aware, Trend Vcleaner.. Nothing found with any of them. I found the location of all files. Yes I know which files in the log to remove.. Problem is they just come back. I posted this so you could see the files for yourself. ;)

c:\windows\config
has key.exe, yek.ini, yek1.bak & yek2.bak.

I can delete the .bak files. I can delete the ini file BUT it comes right back in 30 secs or less. the key.exe file you can not delete. In taskman you can try to stop the process but it just comes back.

C:\Documents and Settings\Robert\Local Settings\Temp
there is yek.dat
it won't let you delete it either.

Now I found the files with regedit & removed the keys with the key.exe in it as well as the yek.dat. BUT it keeps coming back!!

I've tried in safe mode as administrator & you can not stop the process there either. therefore you can not delete the key.exe file.. I'm pretty sure that key.exe is what is replacing it all. That or the yek.dat.. BUT as admin as was able to delete yek.dat.. SO I am almost positive it is the key.exe file that is replacing everything..

I tried finding info at several anti-virus company sites.. BUT they don't have anything listed under yek or key.exe

In fact this is the first place I have found..

Just for background purposes, I am a A+ Computer tech/ast.network admin. 18 yrs expeirence. I've removed every kind of bug, worm & virus known to the PC community.. this one has become a pain in my backside! So any ideas would be cool.. ;)

---

Axeman,

I just spend the past week trying to get rid of a very similar problem that you had. I have a suspicion that you are suffering from a variant of the virtumonde spyware problem. My file was "mainrun.exe" which was listed in the hijackthis log as [*mainrun] or something similar to it.

I followed the directions found in this link http://www.bleepingcomputer.com/forums/topict3494.html

It uses killbox to get rid of the resident program.

Good luck with your diagnosis. I just finished following the directions in the above link to get rid of my mainrun/nurniam. It looks like I was successful.

-pachoo

Quote:

---

Originally Posted by Zonie

Did you try "The Cleaner" as I suggested? I have had these on some of my clients and this worked in removing them.

---

Yea I did... It found it but wouldn't clean it.. alot like a couple other programs I tried. BUT I will continue to use that program on other clients pc's because you are right it is a good prog. ;)

Quote:

---

Originally Posted by pachoo

Axeman,

I just spend the past week trying to get rid of a very similar problem that you had. I have a suspicion that you are suffering from a variant of the virtumonde spyware problem. My file was "mainrun.exe" which was listed in the hijackthis log as [*mainrun] or something similar to it.

I followed the directions found in this link http://www.bleepingcomputer.com/forums/topict3494.html

It uses killbox to get rid of the resident program.

Good luck with your diagnosis. I just finished following the directions in the above link to get rid of my mainrun/nurniam. It looks like I was successful.

-pachoo

---

Pachoo, thanks for the info.. YEA!!!!! This did it! So, this virus is called trojanspy.win32.agent.l by A - Squared.. BUT apparently it is also know as "Virtumonde - DEL-457" that link you listed gave exact directions on how to get rid of it.. Although I know that if you could just stop the file from running as a system process you could then delete it.. Problem was I just couldn't! BUT that killbox freeware prog work perfect! it stopped the file from loading as a system process.

Funny thing is, the guide said it would delete the file as well.. BUT it didn't.. BUT it DID stop it from loading as a system process. I was able to end the process then go to the file location & delete it. I had to login as admin in safe mode to delete the ".dat" file that was located in the "C:\Documents and Settings\Robert\Local Settings\Temp" folder.

It had to be in use by the exe file more than likely. BUT as admin in safe mode I was able to delete the .dat file. I used hijack this to remove all reg entries.

NOW my PC is clean as a whistle again..

Thanks again Pachoo for the info.. exactly what i was looking for. !!

- Axeman88 ;)