# Removal of Instant Access!



## Quri (Apr 19, 2005)

I realize you guy have dealt with this malware before, and I've tried to follow threads that include removing it, but no matter what I do, it always seems to come back. I'm not one to immediately ask for help, but I've tried everything I could to get rid of it. I've run my antivirus, Ad-Aware SE (ad-aware recently updated, I still have yet to update my antivirus and have another go). I've tried deleting key .dll and other files for Instant Access, and even going into the registry and deleting everything Instant or EGDACCESS. But it always keeps coming back. My bet is that I'm either missing something, or some other program keeps installing it.

I did remove the extra internet connection it put into my Network Connections folder, so my computer hasn't dialed the number that reroutes it to some overseas server. At least I don't think it has. But it mainly annoys me because I keep getting annoying (and quite obscene) pop-ups. At one point, in consistency with another thread on your forums, I found NoCreditCard on my desktop, but I think I successfully remove it. Think so anyway. I even had my boyfriend go through and delete files himself. I'm at the end of my rope here.

I'd really appreciate some help. Thanks for your time.


----------



## EAFiedler (Apr 25, 2000)

Hi *Quri*

Welcome to Tech Support Guy Forums!

I remember "EGCOMSERVICE_1044.dll,InstantAccess" I spent several hours scanning with antivirus programs, and manually removing the entries from the Registry. Along with unregistering the .dll's associated with Instant Access.

Definitely update your antivirus program.
Do you have a Firewall installed? 
If not, get a good Free firewall here:

*ZoneAlarm Free*
Install ZoneAlarem and DENY Internet access to any program you do not recognize as Safe to access the Internet.
_______________________________________________________________


Run an online Anti-Virus scan from at least one and preferably 2 of the following sites 
*Trendmicro HouseCall*
*PandaActiveScan*
*SymantecSecurityScan*
*RavAntiVirusScanOnline*
Allow them to clean/delete any spyware/malware or viruses/trojans they may find.
Make a note of any files flagged that were unable to be cleaned or deleted.

Download, Install and check each of the following Spyware tools for updates:
(If you already have the following, please make sure it is the latest version and has been updated)


*Ad-Aware SE 1.05*: 
Click on *Full System Scan* and deselect *Search for negligible risk entries*. Have Ad-Aware SE remove what it finds.
*Spybot-S&D 1.3*:
Have it fix what it finds marked in *Red*.
*Spyware Blaster 3.3*:
Click on *Updates > Check for Updates* Switch to *Protection*
Under Quick Tasks click *Enable All Protection*. Close Spyware Blaster.
*HijackThis 1.99.1*:
Double left click on the file and it will install in:
C:\Program Files\Hijackthis
It will create an entry in the Start Menu and give you the option of installing a shortcut on the desktop.
Click on the entry in the Start Menu or use the shortcut on the desktop to run HijackThis.
This will allow HijackThis to make backups properly.

After running your online virus scans and scanning with with Ad-Aware SE and Spybot S&D, 
close all programs, reboot to complete the removal process.

Start *HijackThis* click on *Do a system scan and save a logfile*.
Most of what it lists will be harmless or even required, so do *NOT* fix anything yet.

Close HijackThis and post your complete logfile here and one of our security experts will take a look at it.


----------



## Quri (Apr 19, 2005)

Thanks.  I actually did already run Hijack This before I posted. I knew what I was doing, and had it two lines that listed Instant Access and EGDACCESS right in the name. But I still got the popups (even after a restart), so I expect it will be back before the end of the day.

I'll run down your list and do all that. Even if it doesn't remove instant access, I'm sure it'll remove a ton of other little things I don't know about. I'll post again when I'm finished, or when I get back from work today. Whichever comes first.

Edit: I'd also like to note that I use Sygate Personal Firewall, and monitor every program that connects to the internet. If you think that your suggestion is a more efficient firewall, I'll trust your judgement.


----------



## EAFiedler (Apr 25, 2000)

If I remember correctly Instant Access calls out to other Trojans and invites them home to your system.
The system I was cleaning was not connected to the Internet until 95% of the Trojans were cleaned out, alot of copying programs to CD-RW, transferring and installing on the infected machine. UGH!


----------



## Quri (Apr 19, 2005)

Wow. Spybot found a lot more than I expected. More than Adaware did, at least. It found two piece of spyware, including Cydoor and WildTangent, that I've been trying to remove completely for the last few aeons. It also found CommonName, and I recognize that... needless to say I removed all of the items it found, plus a few folders I located myself that it had cleaned out. It didn't have to be done, but there's no point in letting empty folders sit.

I ran both TrendMicro and SymanticSecurityCheck. I'd run TrendMicro yesterday and it found one thing that it couldn't delete. I found it myself and removed it. Security check told me to just update my antivirus, which I'd been doing at the time, but it takes a while because I live in the country and have to use dialup. Once my antivirus (AntiVir, by the way) was updated, it found four files trying to connect to the internet that it'd never mentioned before. Two of them were EGDACCESS.dll files I'd had to regularly delete. One of them was a bit random, and the last is most notable.

I tried to run PandaActiveScan, but when I went to download the ActiveX Control it needed, AntiVir popped up saying that it included the Windows virus W95/Bumble. I halted the download and PandaActiveScan wasn't able to scan my computer.

After restarting, I got a message saying that there was an error loading EGDACCESS.dll because it could not be found. Obviously this means it's set to start when Windows starts, but I can't find anything I don't recognize in my Startup list in msconfig. And I'd like for it not to keep giving me that message every time it restarts.

Also, I've been having a little trouble with my dialup connection. Every so often it will time out, and won't be able to find a dialtone until I unplug and plug in the telephone cord. Do you think this is called by spyware?
Also recently, Internet Explorer has been occasionally crashing when I click a link. It hasn't done this before. Is this caused by adware or should I just reinstall IE?

And now for my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:44 PM, on 4/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [P2P Networking2] C:\WINDOWS\system32\P2P Networking\P2P Networking2.exe /AUTOSTART
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - 
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70A6FD9B-A678-4B60-A7D4-D4B6A9D2879D}: NameServer = 69.46.192.4 69.46.192.10
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Edit: Argh. I'd like to add that even after restarting, I still got a popup for some porn site.


----------



## EAFiedler (Apr 25, 2000)

I have never used Sygate Personal Firewall, my concern was that you may not have one. 
When you get time,  you can check your Firewall's shields here: Shields Up!

Also check your Firewall to see what programs are allowed Internet access. With Zone Alarm, I can start over by removing all programs and Allowing/Denying them access to the Internet when they ask.
_______________________________________________________________

I located my notes on the machine that was infected by the Adult content dialer Instant Access, of note, the infected machine was running Windows 98 first edition, had an outdated McAfee antivirus program and no Firewall. 

In Msconfig I would find this program running: *MSLAGENT*.

I removed the Startup entries in this key in the Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I unregistered the following:
CompmanagerPersist.MC2
Order Persist.MC2
Acknowledged.MC2

I ran a Find through the Registry with the following key words:
Hardcore
Sex
mslagent
egcom
and removed those entries
_______________________________________________________________

Key in your suspicious files here:
www.kephyr.com

mslagent came up as MagicControl which has been reported to install the Adult content dialer Instant Access
http://www.doxdesk.com/parasite/MagicControl.html

There are at least six variants of the Instant Access Dialer listed at kephyr.com, check each dialer variant for files that may be lurking in your system
http://www.kephyr.com/spywarescanner/library/instantaccessdialer/index.phtml

The following link relates to this entry in your log:
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
Check the link's removal section to see if you have any of the files it shows, in your system.
http://doxdesk.com/parasite/ClearSearch.html

________________________________________________________________

With all windows closed, Rescan with HijackThis, place a check in these lines and click *Fix*:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binari...ESS_1058_XP.cab

Instant Access

Start > Run
Key in:
regsvr32 /u <directory> EGDACCESS_1058.dll

If you receive an error message that the .dll could not be unregistered, it may no longer be in your system, 
or the directory may not be properly keyed in.

Then delete the offending file *EGDACCESS_1058.dll*
Run a *Search* for: *EGDACCESS* and a shortened version: *EG* to see if there are any variations of its name left in your directories.
You may find some with different numbers for example:
EGDACCESS_1044.dll
EGDACCESS_0063.dll
EGLIVECAM.dll
EGLIVECAM_1028.DLL

If you locate more .dlls, run the the *regsvr32 /u* command on them, then delete the files.
You will probably have several problems/crashes with Internet Explorer until this is cleared off the system.

Also check in the DUN folder and remove the *Instant Access* connectoid.

If you have not already done so, try uninstalling WildTangent using Add/Remove Programs. Or you can have SpyBot ignore that program.

Keep us informed of your progress!


----------



## EAFiedler (Apr 25, 2000)

Here is another link for MagicControl's files:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453079090

It shows the following files:
*Kill this process*
mslagent.exe

*Unregister DLLs: (if present)*
2_mslagent.dll
3_1_0_0_9_mslagent.dll
4a_1_0_1_4_mslagent.dll
4b_1_0_0_6_mslagent.dll

*Remove these registry items (if present) with RegEdit:*
HKEY_CLASSES_ROOT\clsid\{75a603e7-8bb7-4272-abbe-9846ff1241c1}
HKEY_CLASSES_ROOT\clsid\{d7a82a12-05f5-42d8-b30d-6ef995075d2d}
HKEY_CLASSES_ROOT\clsid\{de614603-6320-4046-a7a7-6a69cec26f14}
HKEY_CLASSES_ROOT\interface\{1ef28cc5-8d97-4310-b71b-ca34ee15b897}
HKEY_CLASSES_ROOT\interface\{43cdad65-aa0d-4701-8108-117f86613b69}
HKEY_CLASSES_ROOT\interface\{6d3f48f4-b40a-4c3f-a95c-85e23c3a8a91}
HKEY_CLASSES_ROOT\magiccontrol.magiccomponent
HKEY_CLASSES_ROOT\magiccontrol.magiccomponent.1
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{de614603-6320-4046-a7a7-6a69cec26f14}
HKEY_LOCAL_MACHINE\software\classes\clsid\{de614603-6320-4046-a7a7-6a69cec26f14}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{de614603-6320-4046-a7a7-6a69cec26f14}
The section above, was killer, I ran a *Find* on the {GUID's} and located 15 more entries not shown here.
Not all the entries shown above were found in the system.

*Remove these files (if present) with Windows Explorer:*
2_mslagent.dll
3_1_0_0_9_mslagent.dll
4a_1_0_1_4_mslagent.dll
4b_1_0_0_6_mslagent.dll
acknowledged.mc2
compmanagerpersist.mc2
mslagent.exe
navipersist.mc2
navipromo.mc2
orderpersist.mc2


----------

