Help - I have outerinfo on my computer.

darlin · Post by **darlin** » Mon Mar 05, 2007 11:26 am

Hello all,

My brother was using my computer lastnight, and somehow managed to get outerinfo on it. Pop up heaven.

I have tried using both lavasoft adaware and spybot S&D, and neither is picking this buger up.

If anyone could walk me through getting rid of this bad boy, I sure would appreciate it.

darlin · Post by **darlin** » Mon Mar 05, 2007 6:17 pm

I forgot to mention that I'm running XP Pro with svc pack 2 and IE6.x . Any help would be greatly appreciated, thanks.

CableDude · Post by **CableDude** » Mon Mar 05, 2007 6:52 pm

Enjoy

agustintorre · Post by **agustintorre** » Mon Mar 05, 2007 7:09 pm

darlin wrote:Hello all,

My brother was using my computer lastnight, and somehow managed to get outerinfo on it. Pop up heaven. I have tried using both lavasoft adaware and spybot S&D, and neither is picking this buger up.

If anyone could walk me through getting rid of this bad boy, I sure would appreciate it.

This is the best:
http://www.superantispyware.com/
Try it!

mnosteele52 · Post by **mnosteele52** » Mon Mar 05, 2007 7:40 pm

Prior to doing anything XP users MUST disable System Restore!!! You can re enable it after you are clean.

1. Download, install and run CrapCleaner to remove any temporary and junk files.

2. Download Ad-Aware SE 1.06 and set it up as shown HERE.

3. Download SpyBot Search & Destroy 1.4 and set it up as shown HERE.

4. Download SUPERAntiSpyware, update and do a full system scan.

5. Download AVG Anti-Spyware 7.5, update and do a full system scan.

6. Download and run CWShredder.

7. Do a FREE online virus scan from BitDefender Online Scan and remove all that it finds.

8. If you aren't currently using a firewall or anti-virus profram then I suggest you install Comodo Firewall and Active Virus Shield - (setup instructions HERE), both are FREE and offer excellent protection.

9. It is a good idea to use Sysinternal's Autoruns to make sure you have removed all of the malware.

10. It it also a good idea to run the Winsock Fix to repair your TCP/IP stack. (you will have to redo any tweaks for your connection if this is used)

11. If after doing ALL of the above and you are still having problems please scan with HijackThis 1.99.1 as shown HERE and post a log here in this forum for us to look at.

12. Download SpywareBlaster 3.5.1 and set it up as shown HERE to help stay spyware free.

13. Make sure you have ALL of the latest Windows Updates.

darlin · Post by **darlin** » Mon Mar 05, 2007 9:28 pm

Hi,

I appreciate all of the advice. I've ran both adaware and spybot. However neither will catch it. I read about this on both forums. This one is pretty slick. It is listed in the add/remove section, but I looked in the folder it's supposed to be in, and the folder is empty. There's a couple of new processes running on the computer, but I'm not sure which are the 2 new ones.

If I downloaded hi-jackthis, and posted the results, how hard would it be to get rid of all the files, reg entries....etc using HJT?

I have windows FW enabled, all security patches, including the latest service pack, and AVG 7.5 AV. I've had, for sometime, both adaware and spybot, and both are up to date.

Whatcha think ?

mnosteele52 · Post by **mnosteele52** » Mon Mar 05, 2007 10:13 pm

darlin wrote:Whatcha think ?

I think you need to follow the directions I posted for you.

darlin · Post by **darlin** » Tue Mar 06, 2007 9:26 am

Hello mnosteele52,

Thank you for the suggestions.

However, as I mentioned, I have already used both spybot and Ad-Aware. These will not detect this malware/adware. You can look at Lavasoft's forum, and see for yourself that it will not.

I know that once this is deleted, that you would need to restore your restore point, if I worded that correctly.

I've seen some post where other people had this, and was told to post a hijack this log, and then they downloaded 2 programs, ran one, posted a log, ran another and cleaned up. However, they had other crud as well, and I don't, so looking at their logs wouldn't help me.

Has anyone had this and been successfully able to get rid of it? Or does anyone else have any suggestions, or could take the time to look at a hijackthis log, and and advise?

Thanks

mnosteele52 · Post by **mnosteele52** » Tue Mar 06, 2007 5:59 pm

Right, that's why I recommend running a few other programs in addition to Ad Aware and SpyBot and a free online virus scan that has a much better detection rate than AVG.

DeboraD · Post by **DeboraD** » Tue May 22, 2007 12:08 am

I have ran all the virus scans that you have in your post and there is one that keeps coming up as undeletable and it driving me nuts and advice ???

the file is called Trojan_Agent.odu retadpull.exe
thanks in advance
Debora

mnosteele52 · Post by **mnosteele52** » Tue May 22, 2007 7:35 am

Where is the file located? In a system restore point? That should be the only place where it is undeleteable, simple disable system restore and reboot and it will remove it. Also, please post a HijackThis 2.0 and post a log for us to see.

DeboraD · Post by **DeboraD** » Tue May 22, 2007 5:31 pm

updated

mnosteele52 · Post by **mnosteele52** » Tue May 22, 2007 8:20 pm

Ok first of all you didn't follow what I posted above, you have no active anti-virus program. You need to download Active Virus Shield and set it up as I have shown HERE and do a full system scan.

You also didn't use all of the programs I suggested, please follow these instructions then post a new log:

Prior to doing anything XP users MUST disable System Restore!!! You can re enable it after you are clean.

1. Download, install and run CrapCleaner to remove any temporary and junk files.

2. Download Ad-Aware SE 1.06 and set it up as shown HERE.

3. Download SpyBot Search & Destroy 1.4 and set it up as shown HERE.

4. Download SUPERAntiSpyware, update and do a full system scan.

5. Download AVG Anti-Spyware 7.5, update and do a full system scan.

6. Download Windows Defender, update and do a full system scan.

7. Do a FREE online virus scan from BitDefender Online Scan and remove all that it finds.

8. If you aren't currently using a firewall or anti-virus profram then I suggest you install Comodo Firewall and Active Virus Shield - (setup instructions HERE), both are FREE and offer excellent protection.

9. It is a good idea to use Sysinternal's Autoruns to make sure you have removed all of the malware.

10. It it also a good idea to run the Winsock Fix to repair your TCP/IP stack. (you will have to redo any tweaks for your connection if this is used)

11. If after doing ALL of the above and you are still having problems please scan with HijackThis 2.0 as shown HERE and post a log here in this forum for us to look at.

12. Download SpywareBlaster 3.5.1 and set it up as shown HERE to help stay spyware free.

13. Make sure you have ALL of the latest Windows Updates.

DeboraD · Post by **DeboraD** » Tue May 22, 2007 8:43 pm

I can't have a active anti-virus program on this computer it messes up the vpn I have to use for work after I used the programs you suggested I had to delete them out of my system because I'm not allowed to have any freeware on my computer at all I had to work on the vpn today and they run a test before I start my shift and if the find anything that they don't approve of then they will not let me work, I was on vacation for 2 weeks out of town and a friend used this computer while I was gone and its been messed up ever since, but I will redo everything in you post as you suggested but I have to delete it afterwards and I am clicking the disable System Restore button when I do all of this. Like I said I am rather stupid when it comes to computers but I do follow instructions well

thanks for your time I will try again

mnosteele52 · Post by **mnosteele52** » Tue May 22, 2007 8:48 pm

Well you are definitely infected and the only way to fix things is to have a resident anti-virus program, the malware is loading at boot up and you have nothing to stop it. I find it hard to believe they allow you to have AOHELL installed but don't require a top notch anti-virus program, the IT people where you work are morons. In any case we can get you straight it will just take a bit of work.

DeboraD · Post by **DeboraD** » Tue May 22, 2007 8:55 pm

I am doing what you said I gotta get rid of this crap and yes the IT people are a bit crazy, ever since I started this job I've been in fear of getting a virus been lucky for 2 years but I've also gaurded this computer with my life I've even asked the IT guy to log in my computer and fix it and he said it isn't his job to do that ...grrrrrrr so I'm trying to fight it myself ..with your help of course and yes aol is hell but I've had it so long and alot of emails that are work related and don't know how to transfer them to something else so I can get rid of aol....ok back to downloading the Shield....wish me luck and thanks again

mnosteele52 · Post by **mnosteele52** » Tue May 22, 2007 9:06 pm

You can use AOLs email without having AOL installed on your pc, just go to their site and log in. AOL messes up A LOT of things on your pc, when a client brings me a pc with AOL I always throw out the disclaimer.....

DeboraD · Post by **DeboraD** » Tue May 22, 2007 9:20 pm

I need everything in my personal filing cabinet on aol, once I learn how to transfer that I will delete aol..ok got the anti virus downloaded and installed its scanning now...thanks again

DeboraD · Post by **DeboraD** » Tue May 22, 2007 10:19 pm

virus scan log saved if needed

mnosteele52 · Post by **mnosteele52** » Tue May 22, 2007 11:07 pm

Did the scan find anything? Now post a new HijackThis log.

DeboraD · Post by **DeboraD** » Tue May 22, 2007 11:52 pm

redid below

DeboraD · Post by **DeboraD** » Tue May 22, 2007 11:56 pm

still scanning with avg but here's the hijack log so far

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:51:27 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1161916101\ee\AOLSoftware.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\DEBBIE~1\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\America Online 9.0\shellmon.exe
c:\program files\common files\aol\1161916101\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1161916101\ee\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Debbie Downey\Local Settings\Temporary Internet Files\Content.IE5\3JQP0UIB\HiJackThis_v2[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... x_homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-ad-proxy.sabre.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://password.sabre.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 205.188.179.233 login.oscar.aol.com
O1 - Hosts: 63.241.224.150 scan.wslive.com
O1 - Hosts: 63.241.206.136 wslive.com
O1 - Hosts: 63.241.206.132 workingsol.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161916101\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adxgate.net
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathome.com
O15 - Trusted Zone: *.workathome.net
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommo ... gctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/do ... ase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6152030734
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37540.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/i ... downls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aol126.pogo.com/game/deluxe/zuma ... der_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://workingsol.webex.com/client/T23 ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC203BB6-9843-48FD-BB3D-471BF97D19F0}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 63.241.133.137 4.2.2.2 4.2.2.3 63.241.193.68 63.241.133.37
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 63.241.133.137 4.2.2.2 4.2.2.3 63.241.193.68 63.241.133.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 63.241.133.137 4.2.2.2 4.2.2.3 63.241.193.68 63.241.133.37
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\DEBBIE~1\LOCALS~1\TEMP\_VWUPSRV.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://mail.google.com/mail/images/card_left.gif

--
End of file - 11253 bytes

DeboraD · Post by **DeboraD** » Fri May 25, 2007 8:56 am

any advice ???? is it clean or do I need to do something else ????

Dee

YARDofSTUF · Post by **YARDofSTUF** » Mon May 28, 2007 3:58 pm

Not sure about that password.sabre.com line but other than that it looks like you're only infected with AOL.

DeboraD · Post by **DeboraD** » Thu May 31, 2007 9:07 am

any suggestions on how to get uninfected with aol other than deleteing aol ????

YARDofSTUF · Post by **YARDofSTUF** » Thu May 31, 2007 8:16 pm

DeboraD wrote:any suggestions on how to get uninfected with aol other than deleteing aol ????

Well you uninstall it, unless you use it, then you couldnt use it

DeboraD · Post by **DeboraD** » Thu May 31, 2007 8:22 pm

yeah I use it alot .. now that its free

Honeydew · Post by **Honeydew** » Sun Jun 03, 2007 11:05 pm

darlin wrote:Hello mnosteele52,

Thank you for the suggestions. However, as I mentioned, I have already used both spybot and Ad-Aware. These will not detect this malware/adware. You can look at Lavasoft's forum, and see for yourself that it will not.

I know that once this is deleted, that you would need to restore your restore point, if I worded that correctly.

I've seen some post where other people had this, and was told to post a hijack this log, and then they downloaded 2 programs, ran one, posted a log, ran another and cleaned up. However, they had other crud as well, and I don't, so looking at their logs wouldn't help me.

Has anyone had this and been successfully able to get rid of it? Or does anyone else have any suggestions, or could take the time to look at a hijackthis log, and and advise?

Thanks

Hi!! I just got this outerinfo thing a couple of days ago..I thought it was just temporary but it wasn't D:
So today I got very suspicious and consulted a friend. I removed outerinfo from the add/remove programs and hopefully it doesnt show up again. Oh, by the way, when I first received outerinfo, it installed some components in my computer. It was on my desktop and I just deleted it. My friend sent me the hijackthis thing but my macafee firewall was acting very weetarded so it wouldnt accept. D: So far, it's not popping up again. I hope it stays this way..I have one question though..will this adware harm my computer in any way? well thanks in advance!

YARDofSTUF · Post by **YARDofSTUF** » Sun Jun 10, 2007 2:20 pm

Of course adware can harm your PC.

Macafee isnt the best, grab comodo firewall, its a freebie. and grab hijackthis off the net, google will have plenty of links to both(or check mnosteele's post).

For adware and spyware I like to use adaware/spybot/spywareblaster to remove stuff and spyware blaster to prevent future infections, spybot also has an immunize feature to help prevent them as well.

typistgal · Post by **typistgal** » Wed Jun 20, 2007 11:25 pm

mnosteele52 - I can't thank you enough for the clear step-by-step instructions you posted in order to remove outerinfo from an infected machine. I followed your directions to a T and my machine is running great! I work from home as a medical transcriptionist and absolutely must have a machine that runs without any problems whatsoever. Following your instructions allowed me to restore my PC to the way it was prior to being infected. I was, as you very well know, able to clean up far more than I had hoped and again, my PC is as happy as I am!

THANK YOU!!!!!

mnosteele52 · Post by **mnosteele52** » Thu Jun 21, 2007 5:42 am

typistgal wrote:mnosteele52 - I can't thank you enough for the clear step-by-step instructions you posted in order to remove outerinfo from an infected machine. I followed your directions to a T and my machine is running great! I work from home as a medical transcriptionist and absolutely must have a machine that runs without any problems whatsoever. Following your instructions allowed me to restore my PC to the way it was prior to being infected. I was, as you very well know, able to clean up far more than I had hoped and again, my PC is as happy as I am!

THANK YOU!!!!!

Glad to help and thank you for the kind words.

B2BW · Post by **B2BW** » Wed Jul 11, 2007 3:24 am

Sorry for the delete

amcfadzen24 · Post by **amcfadzen24** » Fri May 09, 2008 10:23 pm

Help!! Somehow I ended up with this horrible outerinfo mess. I have download hijackthis and below is the notepad but I don't know what to do from here and the message that I shouldn't do anything until I talk to someone has me terrified...what do I do??

Logfile of HijackThis v1.99.1
Scan saved at 9:09:57 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\QWxp\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\rwwnw64d.exe
C:\Documents and Settings\Ali\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\limewire\limewire.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nwacc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nwacc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nwacc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {D86886BB-DFB7-492C-ABE0-42C057B3A3D8} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{7B-BB-B6-6B-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Ali\svchost.exe
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Ali\Application Data\Deskbar_{C814CBD9-C4B0-42b9-906F-1E5C94AB9E02}\starter.exe
O4 - HKLM\..\Run: [{c65ced9d-7a0b-01f2-b87a-82cb7337f06c}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{0446eb06-ed59-176c-c0be-379064bad260}.dll" DllInit
O4 - HKLM\..\Run: [2c57bbc4] rundll32.exe "C:\WINDOWS\system32\cumrknpb.dll",b
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdn.exe DWram
O4 - HKLM\..\Run: [BM2f648858] Rundll32.exe "C:\WINDOWS\system32\kcctkprv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWxp\command.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

YARDofSTUF · Post by **YARDofSTUF** » Sat May 10, 2008 9:05 am

In hijackthis check the following and click fix checked:

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: (no name) - {D86886BB-DFB7-492C-ABE0-42C057B3A3D8} - (no file)

O4 - HKLM\..\Run: [{7B-BB-B6-6B-DW}] C:\windows\system32\rwwnw64d.exe DWram

O4 - HKLM\..\Run: [{c65ced9d-7a0b-01f2-b87a-82cb7337f06c}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{0446eb06-ed59-176c-c0be-379064bad260}.dll" DllInit

O4 - HKLM\..\Run: [2c57bbc4] rundll32.exe "C:\WINDOWS\system32\cumrknpb.dll",b

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdn.exe DWram

O4 - HKLM\..\Run: [BM2f648858] Rundll32.exe "C:\WINDOWS\system32\kcctkprv.dll",s

O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe

O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWxp\command.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Delete these files as well:

C:\windows\system32\rwwnw64d.exe

C:\WINDOWS\system32\tcntaxdn.exe

If you dont have a virus scanner on your PC I would look into Avira Antivir, its free and only a google away

SG Broadband Community

Help - I have outerinfo on my computer.

Help - I have outerinfo on my computer.

Outerinfo

Here is Hichjack report you requested

scan results from virus scan

help...outerinfo mess