outerinfo popups are resistant to all scans in read & run me first & hijackthis

Discussion in 'Malware Help (A Specialist Will Reply)' started by Kruzy, Feb 3, 2006.

  1. Kruzy

    Kruzy Private E-2

    This very persistent set of pop ups won't stop. At the end of the title on the very top of the window they all say they are "by outerinfo." I followed all of the directions in READ & RUN ME FIRST except for bitdefender (bitdefender seemed to get stuck when scanning spyware search and destroys program files). I didn't run any of the alternative scans from step 8. I scanned my computer with Norton Anti-Virus(with the current updates). And I followed the tutorial for using HijackThis, which fixed 7 potential problems. My OS is XP home edition with SP2 bought from gateway. it has an Intel Pentium 4A, 2500 MHz processor, and 246 MB SDRAM. My internet runs at about 364 Kbps (download) and 128 Kbps (upload). Attached I have the HijackThis log and the panda activescan log

    Hope somebody can help,

    Thanks Kruzy
     

    Attached Files:

    Kruzy, Feb 3, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Program Files\sder\dees.exe
    C:\WINNT\system32\??pPatch\cmd.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {321F9CE4-5058-51A0-2AB9-7395B985DFCD} - C:\WINNT\system32\jtk.dll (file missing)
    O2 - BHO: (no name) - {32926D19-AAA4-FF58-DF57-DD7F646AD59C} - C:\WINNT\system32\fifz.dll (file missing)
    O2 - BHO: (no name) - {3BC76C4D-FCA0-F40A-D957-DD7F646AD89E} - C:\WINNT\system32\csxbe.dll
    O2 - BHO: (no name) - {4045D3FA-1C12-4FEA-695D-3831B3BEFFC2} - C:\WINNT\system32\sgh.dll (file missing)
    O2 - BHO: (no name) - {40FCC488-0167-049A-42CB-21A05A8AF2C8} - C:\WINNT\system32\jglgpx.dll (file missing)
    O2 - BHO: (no name) - {62269824-00C9-0237-BB94-243080D6D1CB} - C:\WINNT\system32\nszepy.dll (file missing)
    O2 - BHO: (no name) - {7595F023-3BCD-3B63-BE6D-1E2361B9CBC9} - C:\WINNT\system32\twixykx.dll (file missing)
    O2 - BHO: (no name) - {7F5A1EE2-D45E-DFF4-28F9-A7F8FFE6CFCA} - C:\WINNT\system32\ztlqx.dll (file missing)
    O2 - BHO: (no name) - {8BCB07B0-9C0F-CFA7-7D0E-B889687D64CD} - C:\WINNT\system32\xmlh.dll (file missing)
    O2 - BHO: (no name) - {93012D6B-B7D4-B621-F5F4-923BF3237397} - C:\WINNT\system32\bce.dll (file missing)
    O2 - BHO: (no name) - {930BFA3A-3484-6126-AA87-4596F9A179C9} - C:\WINNT\system32\vchlsod.dll (file missing)
    O2 - BHO: (no name) - {98520AE5-9F03-C6F3-715E-BD09F06323C0} - C:\WINNT\system32\zhk.dll (file missing)
    O2 - BHO: (no name) - {9BC7D47B-18CB-1B3D-B211-3C01309C2EC8} - C:\WINNT\system32\eqbeje.dll (file missing)
    O2 - BHO: (no name) - {A40E57B7-9C57-9CF1-7E48-ECECAE911AC1} - C:\WINNT\system32\hmy.dll (file missing)
    O2 - BHO: (no name) - {CBCA1F03-DCB9-884A-CD01-ADC86CF82B91} - C:\WINNT\system32\fehlkkdz.dll (file missing)
    O2 - BHO: (no name) - {E2169E7C-0FCD-533B-B1D1-25C0BCE35898} - C:\WINNT\system32\ruern.dll (file missing)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [netui1] C:\WINNT\System32\netui1.exe
    O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt ndrv
    O4 - Global Startup: PowerReg Scheduler.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (most of these may already be gone):
    C:\WINNT\system32\ruern.dll << This file
    C:\WINNT\system32\fehlkkdz.dll << This file
    C:\WINNT\system32\hmy.dll << This file
    C:\WINNT\system32\eqbeje.dll << This file
    C:\WINNT\system32\zhk.dll << This file
    C:\WINNT\system32\vchlsod.dll << This file
    C:\WINNT\system32\bce.dll << This file
    C:\WINNT\system32\xmlh.dll << This file
    C:\WINNT\system32\ztlqx.dll << This file
    C:\WINNT\system32\twixykx.dll << This file
    C:\WINNT\system32\nszepy.dll << This file
    C:\WINNT\system32\jglgpx.dll << This file
    C:\WINNT\system32\sgh.dll << This file
    C:\WINNT\system32\csxbe.dll << This file
    C:\WINNT\system32\fifz.dll << This file
    C:\WINNT\system32\jtk.dll << This file
    C:\WINNT\System32\netui1.exe << This file
    C:\Program Files\sder << This folder
    C:\WINNT\system32\??pPatch\cmd.exe << This file . In fact, tell me what this folder name really is. The ??pPatch is not the real name. The ?? occur because of non valid characters in the name. Malware does this to mess you up.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).
    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 3, 2006
    #2
  3. Kruzy

    Kruzy Private E-2

    OK, I ended the processes, had HJT fix all of the entries you listed, then I safebooted. Unfortunately, only 1 of the files that you listed almost existed on my computer:

    C:\WINNT\System32\netui1.dll

    which was close to what you told me to get rid of:

    C:\WINNT\System32\netui1.exe

    I checked the properties for the file and I noticed that it was set to open with olbackup.exe. Out of curiosity I checked another .dll file and sure enough it opened with olbackup.exe also, along with every .dll file that I opened in my System32 folder. Upon a search for olbackup.exe I located it in

    C:\Program Files\Quicken

    then I deleted it. Oh, and by the way:

    C:\WINNT\system32\??pPatch\ ??=Ap

    I have attached the HJT log for you to review, but I think the problem seems to be fixed--not a single popup yet. And for the system restore step, I am going to do that right now.

    Thanks, Kruzy
     

    Attached Files:

    Kruzy, Feb 3, 2006
    #3
  4. Kruzy

    Kruzy Private E-2

    I need to correct myself I said the file was olbackup.exe but it was actually OIbackup.exe

    Kruzy
     
    Kruzy, Feb 3, 2006
    #4
  5. Kruzy

    Kruzy Private E-2

    With this font it is still hard to distinguish between L and I. the second character is not L it is I as in Info.
     
    Kruzy, Feb 3, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not say to delete C:\WINNT\System32\netui1.dll.
    I said delete C:\WINNT\System32\netui1.exe

    You deleted a file that was part of your OS! Is is NT LM UI Common Code - Networking classes. And there is also a netui2.dll which is valid.

    And did you say you also deleted one of your Quicken files (olbackup.exe)?

    Why are you deleting things that I did not ask you to delete?
     
    chaslang, Feb 3, 2006
    #6
  7. Kruzy

    Kruzy Private E-2

    Did I say I deleted C:\WINNT\System32\netui1.dll? I saw that it was close to the same file name so I looked at its details. I only deleted OIbackup.exe

    Kruzy
     
    Kruzy, Feb 3, 2006
    #7
  8. Kruzy

    Kruzy Private E-2

    The registered company for quicken is intuit inc. The file that I found was what all of my .dll files in my system32 folder were liked to open with, and it was from a completely different company. I'm pretty sure that if OIbackup.exe was a quicken file then it wouldn't open with most or any of my .dll files. Coincidentally the popups that I WAS getting were all "By OuterInfo" hence OIbackup.exe. I'll take a look and see if I can find the company name for the file.

    Kruzy
     
    Kruzy, Feb 3, 2006
    #8
  9. Kruzy

    Kruzy Private E-2

    The company name was connnected corporation. I just said that the file name started with OI, well I was wrong it was OL. If it was a quicken file it doesn't really matter I have never used quicken since I've had this machine maybe I will just uninstall it.
     
    Kruzy, Feb 3, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I mistunderstood and though you deleted netui1.dll.

    However this is why I also question deleting the olbackup.exe file since I new it was a valid Quicken file.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Feb 4, 2006
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds