Help with removing Outerinfo

We’ve hit another snag. ComboFix ran fine and I’ll attach the log right now. But OTMoveIt2 has froze again. The last thing the status bar said was “Moving file…” I’m sure that doesn’t help much, but yeah. I’m going to let it keep running whilst being frozen to see if it gets anywhere.

And we’re definitely making progress. There hasn’t been any of the weird pop-ups in a while, and the nasty thing that took over my desktop wallpaper is gone and replaced with just a gray background.

Thanks again for all your help. You’ve no idea how much I appreciate this :).

ETA: OTMoveIt2 really is refusing to get anywhere.

Your desktop is ok except for the color? Icons present etc?

We may have stalled OTMOVEIT2 when we where removing the temp files with a wildcard.

Let’s just remove the folders.

C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\Program Files\stc
C:\Program Files\PianoFX
C:\WINDOWS\FLEOK

We might as well check a couple of the temp files

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\LFF77.tmp
C:\WINDOWS\system32\L2125.tmp

scroll down a bit and click “send file”, wait for the results and post then in your next reply along with the otmoveit2 results and a hjt log

Thanks

Yeah, all of the icons are fine and the background is just gray at the moment.

Here’s the OTMoveIt2 results:

[Custom Input]
< C:\Program Files\180searchassistant >
File/Folder C:\Program Files\180searchassistant not found.
< C:\Program Files\180search assistant >
File/Folder C:\Program Files\180search assistant not found.
< C:\Program Files\stc >
C:\Program Files\stc moved successfully.
< C:\Program Files\PianoFX >
C:\Program Files\PianoFX\temp moved successfully.
C:\Program Files\PianoFX moved successfully.
< C:\WINDOWS\FLEOK >
File/Folder C:\WINDOWS\FLEOK not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03302008_181156


Virustotal

for C:\WINDOWS\system32\LFF77.tmp: 0 bytes size received / Se ha recibido un archivo vacio
for C:\WINDOWS\system32\L2125.tmp: 0 bytes size received / Se ha recibido un archivo vacio


And HJT log attached

While I check a few things, try this for your background.

Right click on a bare spot on your desktop and select Properties.
Go to Desktop tab, Customize Desktop button (near the bottom), Web tab and delete everything except “My current home page” and leave that unticked

Alrighty. I did that, but nothing was there to delete and that was already unticked, so I didn’t have to do much ;).

Okay, I’ll see what else I can find for your desktop.

Getting there.

Open HJT, run a system scan only, check mark these lines if present

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all other browsers/windows, click fix, close HJT.

We will use Avenger to make those go away.


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Copy and paste the all the text in the above quote box into the main window…
[*]Click Execute
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\web\related.htm C:\WINDOWS\msa64chk.dll

Folder::
C:\WINDOWS\web\related.htm

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

One more for virustotal

C:\WINDOWS\system32\VBA6.DLL

Avenger results and combofix log and VT results, please

try this

right click on an empty space on the Desktop, point at “Arrange Icons by” and if “Lock Web Items on Desktop” is checked, click on it to uncheck it.

I looked at the “Arrange Icons By” menu and that option was already unchecked.

VT is taking a while with its scanning this time around. waits for it to finish

Rawr…I’ll post it in my next post so you can at least start looking at the other logs.

ETA: Here it is-

Antivirus Version Last Update Result
AhnLab-V3 2008.3.29.0 2008.03.29 -
AntiVir 7.6.0.78 2008.03.28 -
Authentium 4.93.8 2008.03.30 -
Avast 4.7.1098.0 2008.03.30 -
AVG 7.5.0.516 2008.03.30 -
BitDefender 7.2 2008.03.31 -
CAT-QuickHeal 9.50 2008.03.28 -
ClamAV 0.92.1 2008.03.30 -
DrWeb 4.44.0.09170 2008.03.31 -
eSafe 7.0.15.0 2008.03.30 -
eTrust-Vet 31.3.5653 2008.03.29 -
Ewido 4.0 2008.03.30 -
F-Prot 4.4.2.54 2008.03.30 -
F-Secure 6.70.13260.0 2008.03.31 -
FileAdvisor 1 2008.03.31 -
Fortinet 3.14.0.0 2008.03.30 -
Ikarus T3.1.1.20 2008.03.31 -
Kaspersky 7.0.0.125 2008.03.30 -
McAfee 5262 2008.03.28 -
Microsoft 1.3301 2008.03.31 -
NOD32v2 2985 2008.03.30 -
Norman 5.80.02 2008.03.28 -
Panda 9.0.0.4 2008.03.29 -
Prevx1 V2 2008.03.31 -
Rising 20.37.61.00 2008.03.30 -
Sophos 4.28.0 2008.03.31 -
Sunbelt 3.0.978.0 2008.03.18 -
TheHacker 6.2.92.259 2008.03.30 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.29 -
Webwasher-Gateway 6.6.2 2008.03.31 -
Additional information
File size: 1693968 bytes
MD5: d19fbc6c2fa911c14b042aef6a5a746e
SHA1: f8139324922e3b4943b5c5fc012beff516ce3b89
PEiD: -

That didn’t turn out so nicely when pasted, but basically it said 0/31 (0%).

Malware somtimes hijacks your desktop and when you remove it, you got to figure out what was turned off.

Try this, then we’ll clean up the tools and do a couple of other things.

  1. Click Start, click Control Panel, and then double-click Display.
  2. In the Display Properties dialog box, click the Appearance tab.

Anything disabled or turned off there?

One folder to remove with otmoveit2

C:\Program Files\zango

I’ll keep looking. :wink:

Nothing was disabled there. I just tried to set a different desktop background and it seems to be back to normal. Before when I changed the desktop background, it would revert back to the malware screen. So far so good.

And I don’t know if you wanted the OTMoveIt2 log, but I thought I’d copy and paste it anyway ;).

[Custom Input]
< C:\Program Files\zango >
File/Folder C:\Program Files\zango not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03302008_194419

Well all right, maybe we’ve been successful.

We’ll clean up the tools that we used then there is on more scan I’d like you to do. Everything seem fine? Let me know.

  • Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

*Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Then run this scan, sit back and enjoy a drink of whatever you want. :slight_smile:

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Yeah, everything seems to be running perfectly. No stupid pop-ups for anti-spyware, nothing hijacking my desktop :D.

The Disk Cleanup is running right now. It always takes forever, and if I remember correctly, most of the time it takes too long and I just give up 'cause it never gets anywhere even after a couple of hours. But I’ll let it run for now and then I’ll follow the rest of your directions.

I’d like to take this time to thank you again. You are amazing for helping me out with this all day today. It was frustrating enough for me to have to worry about this and try to fix it, but I’m sure it’s a hundred times worse for you with having to actually go through all of the logs and stuff. So a million thanks to you for being a lifesaver…twice for me now lol.

No problem, it was easy to work with you.

I’ll “talk” to you after the Malwarebytes scan. I believe it’s time to put on the feedbag.

I hope that it’s not imperative that I do the Disk Cleanup because I definitely left it going overnight and it did absolutely nothing, just stayed in that one spot the whole time. Tis how it is everytime I try to run it, so yeah.

If you give me the okay, I’ll move onto that last thing later on today.

There is another way of clearing the old restore points, but you can do that after or before the Malwarebytes scan.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

I decided to do the Malwarebytes first :D. So here’s the log:

Malwarebytes’ Anti-Malware 1.09
Database version: 576

Scan type: Quick Scan
Objects scanned: 30389
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID{543bd811-f148-4b3a-a0b9-177014555bf9} (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band.1 (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho.1 (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{d6b0c179-6343-442c-8175-9652e200cb55} (Adware.ISM) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BndBlock5.DLL (Adware.ISM) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndBlock5.Band (Adware.ISM) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndBlock5.Band.1 (Adware.ISM) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndBlock5.BHO (Adware.ISM) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BndBlock5.BHO.1 (Adware.ISM) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Installer\id53.exe (Fake.Dropped.Malware) → Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) → Quarantined and deleted successfully.

Try clearing the system restore and creating a new one by the method in the link.

You really should update to XP sp2, a lot of vulnerbilities have been fixed. Adding an on demand antispyware program like superantispyware wouldn’t hurt either.

Got add/remove programs an uninstall

Malwarebytes