OuterInfo

The primary problem with this computer was the frequent pop-up of OuterInfo ads. The system was also running very slowly.

Combofix, Spybot S&D, AVG Anti-Spyware, and MGTools were run as requested.

Unfortunately AVG did not create a log report even with the request checked. Items found by AVG were:
Downloader.PurityScan.af
Trojan.Small
TrackingCookie Meriplex
TrackingCookie.Tribalfusion
Adware.PurityScan

Logs for Combofix and MGTools are attached.

I have not seen a instance of the OuterInfo pop-up since completing the scans and the computer runs much better ... but I would appreciate a review of the logs to see whether or not additional steps are necessary.

Thanks.

 

Hi Journeyer!
Welcome to Major Geeks!

Yes, you still have things which need removing and I would ask that you use your computer as little as possible until we can post instructions to you.

abri

 

Thanks. Standing by.

 

Hi Journeyer,

1) Go to add/remove programs and uninstall the below:

- My Way Search Assistant


2) Run HijackThis (it's called analyse.exe located under C:\MGTools) and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {2F25AFEC-6E23-4B73-A21B-C93EF05B7D49} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {323948AE-A76F-DBBF-1263-898DBC2481B9} - C:\WINDOWS\system32\rxy.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {B0A8AF39-1DAF-692B-D85F-3AE675860FE4} - C:\WINDOWS\system32\xmpjdvt.dll (file missing)
O2 - BHO: (no name) - {B4F9AB35-14AB-6F28-895F-3AE675860AEE} - C:\WINDOWS\system32\pse.dll (file missing)
O2 - BHO: (no name) - {E3A4FE39-10FE-6E78-DE5F-3AE6758659E6} - C:\WINDOWS\system32\kijgnh.dll (file missing)
O2 - BHO: (no name) - {E6ACA862-43AA-357F-D25F-3AE6758702B7} - C:\WINDOWS\system32\vowvkwjd.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [{32-2D-D2-24-ZN}] C:\windows\system32\mjdsregr.exe CHD003
O4 - HKLM\..\Run: [j2281336] rundll32 C:\WINDOWS\system32\j2281336.dll sook
O4 - HKCU\..\Run: [Fndy] C:\WINDOWS\SYSTEM32\?asks\??oolsv.exe
O4 - HKCU\..\Run: [Pepmfz] "C:\Program Files\?ssembly\w?wexec.exe"
O4 - HKCU\..\Run: [Hwuz] "C:\Program Files\Common Files\??curity\e?plorer.exe"
O4 - HKCU\..\Run: [Ehzsgfca] C:\WINDOWS\SYSTEM32\?ecurity\d?xplore.exe
O4 - HKCU\..\Run: [Fuqshmn] "C:\Program Files\Common Files\?dobe\j?vaw.exe"
O4 - HKCU\..\Run: [Gxnlaz] C:\WINDOWS\SYSTEM32\F?nts\?ttrib.exe
O4 - HKCU\..\Run: [Mav] "C:\Documents and Settings\Judy\Application Data\F?nts\r?gedit.exe"

Remember to close all open browsers before clicking FIX. After you click on fix, just exist HijackThis and continue with the next instructions.


3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Now go to add/remove programs and uninstall:

- Java 2 Runtime Environment, SE v1.4.2_03

6)Now run CCleaner!! Run it on the default tab where it opens which will have the Windows tab as the one on top.

7) Before you continue Reboot!

8) After you reboot, install the current version of Sun Java from: Sun Java Runtime Environment

9) Now run MGTools.exe (under C:\ ) again and attach a fresh MGlogs.zip with your next post. Also, tell me how your computer is running now.

abri

 

Working on it ... thanks. Back soon.

 

The specified steps have been completed. A few of the Hijack This entries could not be found ... I have included them below. All other steps went as expected.

The computer seems to be running fine ... still no instances of the OuterInfo ad pop-ups which were very frequent before this clean-up started.

Thanks again for your help. A new MGlogs.zip is attached ... how are we looking?

 

Hi Journeyer,
Did you create the following folder on the desktop?
C:\Documents and Settings\Judy\Desktop\Jny_Security

There's one file in your logs this time around that was not in it the first time around, meaning, something generated it. I would like you to remove it as follows:

1) Please download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Next please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

3) Please post a fresh MGlogs.zip and let me know how things are running now?

abri

 

abri,

Yes ... I created the folder Jny_Security on the desktop to hold all of the files we've downloaded during this process. It organizes the stuff a little.

The Avenger and ATF Cleaner ran as expected. A new MGlogs.zip file is attached.

The systems seems to be running fine. How does it look to you? Thanks again for the excellent help.

 

Journeyer,
Avenger didn't seem to delete this, so I would like to see the Avenger log to see if there are any comments in it.
abri

 

I reran Avenger just to be sure it was run correctly. The log file is attached and indicates that the file was deleted successfully.

I have also attached a fresh MGlog.zip file prepared after running Avenger.

How do we look?

Thanks.

 

Hi Journeyer,
Your logs look clean. There are two things still:

Optionally you can use HijackThis (analyse.exe) to fix these two items: the first if you don't use it and the second because it's unnecessary:

O4 - HKCU\..\Run: [QuickBar] C:\Program Files\QuickBar\quikbar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Secondly, do you know what this is? If not, would you upload it with your next attachment?
C:\rjhtodns.txt

And now I will post our final cleaning instructions for you. I would like to add that you should use CCleaner at the default setting before you shut down your computer.

abri

 

abri,

Working on it ... back shortly.

Thanks.

 

Hey abri,

Looks like we're done!!

The two items were removed with HijackThis ... no problem.

c:\rjhtodns.txt looks like a file automatically created to hold the information I
pasted from your mesage into The Avenger. The content of the file was:

The file has been deleted.

General clean-up work was done ok and system restore has been done without a problem. Thanks for all of your help and for the tips on malware prevention. I'll pass it along to the folks who screwed up this computer.

 

Journeyer!
You're welcome and thanks for passing on the word about our site.
Do read the "How to protect yourself from malware" thread and enjoy your computer!
abri