Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
31 Posts
Discussion Starter · #1 ·
My computer is infected with "instant access", which is I think a spyware. I have run antivirus program several times but it did not find anything.
Ad-aware did not find anything either.
SpyBot did find find few things, but they don't seem to be related to instant access. It did fix them all.
Pestpatrol has found 76 items related to "instant access", under name eGroup. I had done a little research and found that eGroup is a company that makes this spyware.
On the first try PestPatrol seemed to remove / delete all items, but next day they were all back. I guess there are some items in the registry that are not cleaned out.
I have tried to uninstall instant access from Add/Remove prog. but it doesn't seem to be a real uninstall, it prompts me to connect to the Internet.
If I try to delete Intant Access folder in Prog. files, it is gone until the next boot. The same happens when I uncheck the box in startup folder.

I have no idea what to do next. :confused:

Please, help me.

Thank you.

Nermi
 

·
Registered
Joined
·
46,353 Posts
Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now Click here to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program. Click on the Do a system scan and save a logfile button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #3 ·
Sorry for the delay, I was out of town.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:07 AM, on 7/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL
C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE
C:\\WINDOWS\\SYSTEM\\MPREXE.EXE
C:\\WINDOWS\\SYSTEM\\mmtask.tsk
C:\\WINDOWS\\SYSTEM\\MSTASK.EXE
C:\\PROGRAM FILES\\CA\\ETRUST EZ ARMOR\\ETRUST EZ ANTIVIRUS\\ISAFE.EXE
C:\\WINDOWS\\EXPLORER.EXE
C:\\WINDOWS\\SYSTEM\\SYSTRAY.EXE
C:\\PROGRAM FILES\\CA\\ETRUST EZ ARMOR\\ETRUST EZ ANTIVIRUS\\VETMSG.EXE
C:\\PROGRAM FILES\\CA\\ETRUST EZ ARMOR\\ETRUST EZ ANTIVIRUS\\CAVTRAY.EXE
C:\\PROGRAM FILES\\CA\\ETRUST EZ ARMOR\\ETRUST EZ ANTIVIRUS\\CAVRID.EXE
C:\\PROGRAM FILES\\PESTPATROL\\PPMEMCHECK.EXE
C:\\PROGRAM FILES\\PESTPATROL\\COOKIEPATROL.EXE
C:\\WINDOWS\\SYSTEM\\FCAPJM.EXE
C:\\PROGRAM FILES\\IISYSTEM WIPER\\SYSTEMWIPER.EXE
C:\\WINDOWS\\RUNDLL32.EXE
C:\\PROGRAM FILES\\CALLWAVE\\IAM.EXE
C:\\WINDOWS\\SYSTEM\\RNAAPP.EXE
C:\\WINDOWS\\SYSTEM\\TAPISRV.EXE
C:\\WINDOWS\\SYSTEM\\WMIEXE.EXE
C:\\WINDOWS\\DESKTOP\\HIJACKTHIS\\HIJACKTHIS.EXE

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\\program files\\google\\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\\WINDOWS\\SYSTEM\\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\\program files\\google\\googletoolbar1.dll
O4 - HKLM\\..\\Run: [SystemTray] SysTray.Exe
O4 - HKLM\\..\\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\\..\\Run: [VetAlert] C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VETMSG.EXE
O4 - HKLM\\..\\Run: [CaAvTray] \"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\"
O4 - HKLM\\..\\Run: [CAVRID] \"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\"
O4 - HKLM\\..\\Run: [PPMemCheck] C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe
O4 - HKLM\\..\\Run: [CookiePatrol] C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe
O4 - HKLM\\..\\Run: [fcapjm] c:\\windows\\system\\fcapjm.exe
O4 - HKLM\\..\\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\\..\\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\\..\\RunServices: [CAISafe] C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\ISafe.exe
O4 - HKCU\\..\\Run: [iIWiper] C:\\PROGRAM FILES\\IISYSTEM WIPER\\SYSTEMWIPER.EXE m
O4 - HKCU\\..\\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess
O4 - Startup: Internet Answering Machine.lnk = C:\\Program Files\\CallWave\\IAM.EXE
O8 - Extra context menu item: &Google Search - res://C:\\PROGRAM FILES\\GOOGLE\\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\\PROGRAM FILES\\GOOGLE\\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\\PROGRAM FILES\\GOOGLE\\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\\PROGRAM FILES\\GOOGLE\\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\\PROGRAM FILES\\GOOGLE\\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/051d97c3e29187b9e515/netzip/RdxIE601.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN.cab
O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060.cab

Thank you.

Nermi
 

·
Registered
Joined
·
46,353 Posts
* Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.

* Click Here and download Killbox and save it to your desktop.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\\..\\Run: [fcapjm] c:\\windows\\system\\fcapjm.exe

O4 - HKCU\\..\\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/051d97c...ip/RdxIE601.cab

O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binari...sysnet32_EN.cab

O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binari...ACCESS_1060.cab


* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste the following line then click on the button that has the red circle with the X in the middle. It will ask for confimation to delete the file. Click Yes..

c:\windows\system\fcapjm.exe

Exit the Killbox.

* Delete this folder:

C:\PROGRAM FILES\Instant Access

* Start Ccleaner and click Run Cleaner

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Go here and download Ad-Aware SE.
  • Install the program and launch it.
  • First in the main window look in the bottom right corner and click on Check for updates now
  • Click Connect and download the latest reference files.
  • From main window click Start then under Select a scan Mode tick Perform full system scan.
  • Next deselect Search for negligible risk entries.
  • Now to scan just click the Next button.
  • When the scan is finished mark everything for removal and get rid of it.
  • Right-click the window and choose select all from the drop down menu and click Next
  • Restart your computer.

* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top