Winantispyware popups

tpiontek · Sep 13, 2006

Hi,

I am having problems with a spyware i can not remove. Each time i am using IE, i keep having winantispywares popups. I tried to run many spywares programms with no chance so far.

So now i have followed the steps indicated in the README post, here are my logs.
It would be great if you could help me to sort it out.

Thank you very much
Tom

DavidGP · Sep 13, 2006

Hi Tom and Welcome,

sadly you have left a few of the logs out from the steps in the guide, GetRunKeys & Hijackthis log, please attach those as well

tpiontek · Sep 13, 2006

Thank you for the reply,

I thought i had some problems using the forum, and in the meantime i have been trying to remove the problems myself.
I managed to remove the popups problems, but it seems i still have few problems, a tracking cookie keeps coming back, called Tribalfusion.

Here is attached my latest hijack logm and the GetRunKeys log i did in the first place. If i need to do the all manipulation, pleazse let me know.

Thank you

chaslang · Sep 14, 2006

tpiontek said:

but it seems i still have few problems, a tracking cookie keeps coming back, called Tribalfusion.
Click to expand...

Cookies are not problems! Please read step 11 in the below link:

How to Protect yourself from malware!

And in fact if you are not having any other malware problems, you should follow all the directions in the above link.

tpiontek · Sep 15, 2006

Ok, thanks.
However i still have 2 issues.

First, the activescan log is showing this:
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Dialer:dialer.b Not disinfected c:\windows\downloaded program files\sysnetsvc32.inf
but i can not see those 2 files on my system, and i have show hidden files turned on.

Also, Spyware Doctor is telling me i have an item in the registery, a Certificate, which is an e-dialer. I tried to remove it before manually, but it is coming back.

HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A

I attach the log file for you.
Can you give me a clue about this please?

Thanks a lot for your help.
Tom

chaslang · Sep 15, 2006

Okay! You have a few files related to Instant Access aka EdgeAccess. Note, Windows Explorer (even with viewing of hidden files enabled) cannot show files in the Downloaded Program Files folder. You must either use another tool to see them or you can see them from a command prompt. So I will give you a tool that we will use. Download and install ExplorerXP It is much better at showing ALL files. We will use it later.

First a question! Are your copies of Ewido and Spyware Doctor paid versions or free versions?

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

Now make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O16 - DPF: {39EA2F6F-3F50-4F58-9C63-4B3D53B0926E} - http://scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1049_EN_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068_XP.cab
O16 - DPF: {E1D20694-74D9-472D-AF03-08C26173A67F} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1063_em_XP.cab

After clicking Fix, exit HJT.
Boot into safe mode and use ExplorerXP to find and delete the below (some may be gone due to using HJT above):
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
c:\windows\downloaded program files\sysnetsvc32.inf
C:\WINDOWS\Downloaded Program Files\egaccess4.inf
C:\WINDOWS\system32\emcfwxkaiq.exe
C:\WINDOWS\system32\emcfwxkaiq.dat
C:\WINDOWS\system32\emcfwxkaiq_nav.dat
C:\WINDOWS\system32\emcfwxkaiq_navps.dat

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now. Does Spyware Doctor still show that registry key? If so, can you delete it now.

tpiontek · Sep 18, 2006

Thanks for all your help on this.
Everything seems to be fine now. I followed the steps and nothing is detected anymore.

The spyware doctor and ewido are only the trial version tho.

I can not log the hijackthis file because the problem was on my girlfriend computer, but i am not in her house anymore.
But as far as i can tell, all the problems the needed to be fixed, are in the log file. It doesn't seem to have anymore suspicious programs running now.

Thanks a lot
Tom

chaslang · Sep 18, 2006

You're welcome.

Log in or Sign up

Winantispyware popups

tpiontek Private E-2

Attached Files:

Activescan.txt

bdscan.txt

newfiles.txt

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

tpiontek Private E-2

Attached Files:

runkeys.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

tpiontek Private E-2

Attached Files:

log20060915121105.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

tpiontek Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member