adware causing popups in Ie (outerinfonetwork)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by eagle2, Aug 12, 2005.

  1. eagle2

    eagle2 Private E-2

    i read and followed all the directions in the Read This First: Spyware, etc, thread. i still get popups in Ie for things such as winfixer and partypoker.com four days ago a trojan got through my noton quarantine and zonealams. now i have a program on my add/remove menu called OIN (outerinfonetwork). it gives me the remove option, but i was affraid to try it before asking an expert. can you please help?
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    [​IMG] Download HijackThis 1.99.1

    [​IMG] Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    [​IMG] Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    [​IMG]Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    [​IMG]Run HijackThis and save your log file.

    [​IMG] Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    [​IMG]Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
  3. eagle2

    eagle2 Private E-2

    thanks
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    (Don't run it yet)

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Microsoft Antispyware
    (Uninstall this because it will block parts of this fix)


    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {961EE06B-74FF-040E-DE9F-7582C86D7CB4} - C:\WINDOWS\system32\bqdiaiwn.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"/BEFOREINSTALL
    O4 - HKCU\..\Run: [Oevs] C:\WINDOWS\system32\??anregw.exe
    O4 - HKCU\..\Run: [Cpue] C:\Program Files\sswp\cruu.exe

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

    O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K92RWXIN\CWShredder[1].exe (file missing)

    Again, make sure All Browser Windows are Closed when you Click FIX.


    NOW:
    Navigate to and DELETE the following if they should remain:

    C:\Program Files\sswp ←–– Delete this whole folder if it exist!

    C:\WINDOWS\system32\??anregw.exe
    (You will need to manually search for this file, the ? represents an unprintable character so it will be at the bottom of the list. Once located right click and delete it)


    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.
    • If you get an error message about Pending Operations, just reboot your computer manually.
    After you complete the above, reboot and attach a fresh HJT log. Also let me know how things are running.
     
    Last edited by a moderator: Sep 2, 2005
  5. eagle2

    eagle2 Private E-2

    almost everything went ok but,

    O4 - HKCU\..\Run: [Oevs] C:\WINDOWS\system32\??anregw.exe
    and
    O4 - HKCU\..\Run: [Cpue] C:\Program Files\sswp\cruu.exe
    didn't show up in the safe mode scan.

    also I deleted C:\Program Files\sswp i couldn't find C:\WINDOWS\system32\??anregw.exe

    here's my new HJT log not in safemode
     

    Attached Files:

  6. eagle2

    eagle2 Private E-2

    update: i'm still getting poppups
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

    ??anregw.exe

    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    O4 - HKCU\..\Run: [Oevs] C:\WINDOWS\system32\??anregw.exe
    O4 - HKCU\..\Run: [Cpue] C:\Program Files\sswp\cruu.exe

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

    C:\Program Files\sswp ←–– Delete this whole folder if it exist!

    C:\WINDOWS\system32\??anregw.exe (You will need to manually search for this file, the ? represents an unprintable character so it will be at the bottom of the list. Once located right click and delete it)

    NEXT:
    Run CCleaner to clean up cookies and temp files.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.


    Reboot to Normal Windows , Scan with HijackThis and attach the new log.
     
  8. eagle2

    eagle2 Private E-2

    sorry its been so long, i've been moving into the dorm.

    i did everything you asked.

    couldn't find

    C:\WINDOWS\system32\??anregw.exe
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BJ is one of the many people impacted by hurricane Katrina. Let's hope all is well.

    You log is clean now. Are you have any other malway problems?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds