Instant Access Driving Me Insane!

Ive been fooling around with computers for many years but I never had a problem to stump me until now. This computer has popups from Instant Access. (EGroup) I have deleted from regedit, killboxed, ect. Seem to reinstall itself. I do notice that when I remove the site from the "Trusted Publisher list" The site comes back after reboot. Here is my hyjack log.
Help anyone..

Logfile of HijackThis v1.99.1
Scan saved at 1:49:38 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1063.dll,InstantAccess
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{487C8A08-FA47-4791-9519-DEFD9951EB1E}: NameServer = 207.19.167.2 207.19.167.7

 

Please download ewido security suite it is a free version of the program.
http://www.ewido.net/en/download/

1. Install ewido security suite
2. When installing, under "Additional Options" uncheck..
*Install background guard
*Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you will get a warning "Database could not be found! ". Click OK. We will fix this in a moment.

6. You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update.
*Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ( "Update successful ")

DO NOT RUN IT YET!
Go to control panel/ folder options/ view
Check show hidden and system files.
Uncheck hide protected files
Uncheck hide known file extensions.

Go to search / find files
Locate this file
EGDACCESS_1063.dll
Note where it is.

Go to control panel / system / system restore and click stop using system restore for all drives

Launch Hijackthis with all other windows closed.
Click scan system
Put a check by these and choose fix
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1063.dll,InstantAccess
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binari...ESS_1063_XP.cab

Close and relaunch Hijackthis and choose run misc tools

Under misc tools choose delete a file on reboot.
Put in the path to EGDACCESS_1063.dll

Restart computer

Load up Ewdio
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections ", then proceed.
Close ewido


Reboot, run hijackthis again and post your full log.
Do you have a bunch of startup items disabled ? Did you edit that log? There is a lot missing.

 

Thanks for responding so quickly.
Yes there is a lot missing but no i didnt edit the log.
I had edo so i up dated and did as directed.
Here is the file, I have been to this point before but after being online at any site for about 10 mins the popups return. Im at 3 mins and counting right now



Logfile of HijackThis v1.99.1
Scan saved at 4:32:55 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
______________________

 

ten mins later

After being on line 10 mins the popups have returned.
Ive run Hijack and here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 4:38:19 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe

O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{487C8A08-FA47-4791-9519-DEFD9951EB1E}: NameServer = 207.19.167.2 207.19.167.7
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

 

latest

I did the removal process again. this time I also went into Explorer options and disable the certificates of the 'egroup' (If I delete they come right back)
I still get the popups but instead of asking to connect to their site it asks to allow the software to be installed. Ewido shows nothiong and Hijac doesnt show anything.
Im Still lost as where to go next

Logfile of HijackThis v1.99.1
Scan saved at 7:24:22 AM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{487C8A08-FA47-4791-9519-DEFD9951EB1E}: NameServer = 207.19.167.2 207.19.167.7
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

 

I am almost certain that you must have something which is blocking hijackthis from reading your registry.

Please download and run the coolweb search removal tool
Cwshredder.
http://www.intermute.com/products/cwshredder.html
Download and run and choose fix.

Then run hijackthis again and see what it shows.
If it does not show anything new, open hijackthis and click on misc tools/ process list.
There is a floppy disk at upper right of the list ,click this to save a copy and paste it here.

 

cwshredder

I have version 2.15 and ran it, it found nothing.
here is the highjack after it ran and the process list.

Logfile of HijackThis v1.99.1
Scan saved at 5:51:06 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1063.dll,InstantAccess
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{487C8A08-FA47-4791-9519-DEFD9951EB1E}: NameServer = 207.19.167.2 207.19.167.7
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



Process list saved on 6:11:28 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
364 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
444 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
488 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
500 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
644 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
752 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1024 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1156 C:\Program Files\ewido\security suite\ewidoguard.exe 3.0.0.1 ewido networks
204 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
396 C:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
1668 C:\Program Files\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation
344 C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lora\Desktop\bug\HijackThis.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1063.dll,InstantAccess
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{487C8A08-FA47-4791-9519-DEFD9951EB1E}: NameServer = 207.19.167.2 207.19.167.7
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe[/QUOTE]


I should have thought of looking here first.
http://securityresponse.symantec.com/avcenter/venc/data/dialer.instantaccess.html
Note all the extra items you must check for and manually remove .

Offhand, with yours I would say you may get by with doing the following.

Go to start / run and type
regsvr32 /u EGDACCESS_1063.dll
Hit enter and wait for it to say dll unregistered.
Repeat for
regsvr32 /u EGDIAL.dll
and
regsvr32 /u EGCOMLIB2.dll
and regsvr32/u mseggrpid.dll
Then run hijackthis with all other windows closed and select this line and choose fix
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1063.dll,InstantAccess

Locate (Find files) and delete the files EGDACCESS_1063.dll and EGDIAL.dll and EGCOMLIB2.dll and mseggrpid.dll
(Note these are probably in C:\Windows\System)
Locate and delete these files too
show_module.php
show_module.php_0.loginvis
ncc.ico
ExeDialer.exe (Probably in C:\Windows)
FunFunFun.lnk
mseggrpid.dl (May have been mseggrpid.dll or may just be mseggrpid.dl)
(Note the others should have been in
C:\Program Files\Instant Access)
Locate and delete this folder
C:\Program Files\Instant Access
(May have to reboot to safe mode to do this)
Note that it may create any or all of the following registry keys (folders)
HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2
HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{A02780C3-7F77-4E28-855B-28890F3CF37A}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{B843DA96-2B2D-447E-90AB-B92929AA11AF}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{62BFAEC2-82A5-4117-A98B-FEA89413D924}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{81C2F7F3-F930-455E-9AA5-0876D387C787}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{7699AEF9-F83A-44FA-B374-AA02CEDF247D}
HKEY_USERS\.DEFAULT\Software\EGDHTML
You must use regedit or a similar registry editor
Reglite
To locate them, then right click and delete the key (folder)
Finally, there should be a funfun link on the desktop you need to delete and you need to empty recycle bin.


Note that you have to get all the stuff it put in and you have to do this in the order specified or it is likely to just reinstall.

Normally a short log like yours means that something is blocking Hijackthis from seeing parts of the registry. However in your case, it just appears that you have most startup items disabled and not much running and do not have a lot of unnecessary stuff installed.

 

latest

oshwyn5
I have actually gone to the symantec.com site before and followed those directions. But I followed your directions, ran every scan I could find, deleted, deleted, deleted in safe mode, hunted for every file you listed and others listed elsewhere. Many were there some were not.
Ive been online for 3 hours and no pop ups. Nothing lists on hijack or any other scan. Im ALMOST ready to declare victory. It still bothersme that on my explorer "trusted publishers" list the EGROUP. When i disable or remove it, it returns.
Ill let you know what happens but for now thank you, I wont forget your cut of the first million.

 

Is it listed in tools/ internet options/ security / trusted zone?
Or are you saying it is in your trusted root certificates?
Tools/ internet options/ content/ publishers / trusted publishers?

I also need to ask if you have things locked with Spybot. Did you ever install spybot search and destroy? If so launch it , go to view/ advanced , go to tools/ secuirty / immunize and at the bottom uncheck the lock options.

Then restart, remove the entries, restart, return the lock options and restart again.

 

Download the attachment here, it will Save As Attachment.Php, rename it to GetlogXP.Zip. Unzip the file GetlogXp.Bat onto the Desktop and double click it. Notepad will open with a log, please post it onto here.
Go ahead and download Reg Lite for later use.

 

Instant Access uninstaller?

oshwyn5
I found the E-group in BOTH places. And keep returning.
Im still pop up free for 24 hours and have returned the computer to its owner.
I wrote the people at the Egroup and requested an uninstaller for Instant Access. They referred me to their website which of course didnt work. After a few more emails they sent me the following link and assured me it would remove Instant Access. Frankly im scared to click it. Has anyone else used this link?
httx://network.nocreditcard.net/cleaner/DialpassUninstall.exe
I stopped that from being a link, I wouldn't want anyone catching anything accidently. markp62

 

Try going here to update your root certificates from verisign
https://getca.verisign.com/update.html

Have you tried adding them to the "Untrusted" tab?
Then delete them from trusted?

Also, tools internet options/ advanced/ security
check the check for publishers revocation option.

http://www.windowsecurity.com/articles/Code-Signing.html
Is a good article to read.


Secunia at one time recommended just deleting all publishers.
http://secunia.com/advisories/7579/print/

 

re:

I did take them off the trusted and put them in the untrusted but it keep coming back.
I still dont understand what I did right to get rid of it since I did the same thing 40 times before it finally was gone. BUT its still on the trusted publishers list. I wonder if i should fool with it or leave it alone?

 

I would at a least put them in the restricted internet zone.

Read this article
It may have some insight on your problem.


Make sure you have made this change

I would definitely try again to remove them.
Maybe do it in safe mode.

 

See post #11, the batch file will show the startups via a registry export. It is very effective in finding the culprit. The below is only the visible one.
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1063.dll,InstantAccess
I would also recommend getting Process Viewer, and create two logs with it.
Press 1 then Enter, and a log will appear in Notepad.
Press 2 then Enter, and a log will appear in Notepad.
These show the DLL's hooked into Windows Explorer and Internet Explorer.