annoying pop-up ads "by OuterInfo"

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log ( Make sure you install it properly because you had it incorrecly installed in your first log ):

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Educational Note: You should not install programs like this:
C:\WINDOWS\DESKTOP\MY STUFF\PROGRAMS\SPYWARE TOOLS\SUNTHREATENGINE.EXE
C:\WINDOWS\DESKTOP\MY STUFF\PROGRAMS\SPYWARE TOOLS\SUNPROTECTIONSERVER.EXE
C:\WINDOWS\DESKTOP\MY STUFF\PROGRAMS\SPYWARE TOOLS\SUNSERVER.EXE

You should always install programs into their default folder which is normally under C:\Program Files

You do not want all this clutter on your Desktop and in addition anything not installed and seen running from the correct folders is always suspected as being malware. Your Desktop should only have Shortcuts that are used to run programs. Not the actual installed programs themselves.

Here is another example problem of how not to install something:

C:\MY DOCUMENTS\AAOP\USERINIT.EXE

This looks like malware to me for two reasons. First because of where it is running from and second because of the userint.exe filename. Is this something you installed? It could be this:

http://www.sofotex.com/TSEP---The-Search-Engine-Project-download_L27025.html

Or it could be something else or malware.

You did not allow CounterSpy to fix anything. You Ignored everything. Please run it again and this time tell it to fix what it found.

It does not look like you ran step 0 of the READ ME. I see Virtual Bounce (VBouncer) running. Did you look for it in Add/Remove programs and uninstall if found?

I'll give you some stuff to start fixing while I wait for answers to the above.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\PROGRAM FILES\COMMON FILES\RHSO\WMAOPXQ.EXE

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {35E76296-DD22-F583-0696-F64A3586A3CF} - C:\WINDOWS\SYSTEM\UFXHNJA.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 195.13.63.187 irc.westwood.com
O1 - Hosts: 195.13.63.187 servserv.westwood.com
O2 - BHO: (no name) - {35E76296-DD22-F583-0696-F64A3586A3CF} - C:\WINDOWS\SYSTEM\UFXHNJA.DLL
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\Run: [Oyihnvb] C:\Program Files\Common Files\Rhso\wmaopxq.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WildTangent <--- the whole folder
C:\Program Files\VBOUNCER <--- the whole folder
C:\Program Files\Common Files\Rhso <--- the whole folder
C:\Program Files\AWS <--- the whole folder
C:\WINDOWS\SYSTEM\UFXHNJA.DLL

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Did you re-run CounterSpy yet? Did you let it fix what it finds? Attach a new log from CounterSpy after doing this.

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Okay CounterSpy cleaned up a pile of baddies!

Oooooh a Command & Conquer player!

You never truly follow the directions in the READ & RUN ME. If you had, you would not be using a 3 year old version or Spybot. You are running:

Spybot - Search & Destroy 1.2

Uninstall it and install the proper version as given in the READ ME. Make sure you get ALL updates and use the Immunize feature.

You should also uninstall the below very old version of Ad-Aware:
Ad-aware 6 Personal


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\MY DOCUMENTS\AAOP\USERINIT.EXE

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {2F58C96A-2ED0-5227-A1EC-01D58C2DEA9D} - C:\WINDOWS\SYSTEM\EGW.DLL
O4 - HKCU\..\Run: [Tsep] "C:\My Documents\aaop\userinit.exe" -vt yazr

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM\EGW.DLL
C:\My Documents\aaop <--- delete the whole aaop folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay so how is everything working now?

You should uninstall CounterSpy and do no install things to your Desktop anymore. CounterSpy is only a 15 day trial which will not work after the trial period. If you are going to buy it, then you should still uninstall it and then reinstall it properly into its default folder which is suggested while running the install program.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link ( you need a Firewall & an antivirus program ASAP).


How to Protect yourself from malware!

 

You're welcome. Surf safely!