Outerinfo Invasion on my computer! PLEASE HELP!

kfisk · Joined: Jan 17, 2008 Posts: 5

Yesterday "outerinfo" decided to take over my computer. I have no idea what to do. I ran AVG Anti-Spyware for 5 hours today and deleted over 200 infected files, yet it is still on my computer. I have also deleted the folder with the name on it out of my Program Files. Still, it is taking over my computer. I'm starting to feel helpless! I happened to see another person on this forum with the same problem, so I downloaded and ran Combofix like you had told them to. Please help me. When it comes to this kind of stuff I havent a clue and this is a huge pain! Below is the log that Combofix gave me. If you respond with wanting me to run "HijackThis" please let me know what that is. Thank you!!

Start Time= Thu 01/17/2008 14:58:39.09

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-01-17 15:03:52 338432 ( A.... ) "C:\WINDOWS\system32\jkkjk.exe"
2008-01-17 14:55:12 10240 ( A.... ) "C:\Program Files\spoolsv.exe"
2008-01-17 08:40:30 495104 ( A.... ) "C:\WINDOWS\system32\NeroCheck .exe"
2008-01-17 08:32:38 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Grisoft"
2008-01-17 08:31:12 ( .D... ) "C:\Program Files\Grisoft"
2008-01-17 08:11:26 9728 ( A.... ) "C:\WINDOWS\system32\spoolvs .exe"
2008-01-17 08:11:18 9728 ( A.... ) "C:\WINDOWS\system32\printer .exe"
2008-01-17 07:18:30 ( .D... ) "C:\Program Files\Spyware Doctor"
2008-01-17 07:18:30 ( .D... ) "C:\Documents and Settings\Owner\Application Data\PC Tools"
2008-01-16 14:46:20 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Help"
2008-01-16 13:52:38 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Symantec"
2008-01-16 13:44:22 10752 ( A.... ) "C:\WINDOWS\mgrs.exe"
2008-01-16 13:14:50 334848 ( A.... ) "C:\WINDOWS\system32\jkkjk.dll"
2008-01-16 13:13:26 ( .D... ) "C:\Program Files\Temporary"
2008-01-16 13:11:24 ( .D... ) "C:\Program Files\Common Files\W?nSxS"
2008-01-16 13:10:30 687592 ( A.... ) "C:\WINDOWS\system32\atmtd.dll"
2008-01-16 13:10:06 36864 ( A.... ) "C:\WINDOWS\mrofinu1000106.exe"
2008-01-16 13:09:58 ( .D... ) "C:\Program Files\Network Monitor"
2008-01-16 13:09:36 ( .D... ) "C:\Documents and Settings\Owner\Application Data\S?mantec"
2008-01-16 11:08:36 2950 ( A.... ) "C:\Documents and Settings\Owner\Application Data\wklnhst.dat"
2008-01-15 16:52:24 140800 ( ..SH. ) "C:\Program Files\Common Files\Yazzle1281OinAdmin.exe"
2008-01-15 11:30:52 60928 ( A.... ) "C:\WINDOWS\system32\wqpqelws.dll"
2008-01-11 14:53:40 ( .D... ) "C:\Program Files\InterActual"
2007-12-18 10:28:10 ( .D... ) "C:\Program Files\PENTAX"
2007-11-06 11:32:08 85240 ( A.... ) "C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT"
2007-10-31 13:03:02 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-11-25 02:57:34 482 ( A.... ) "C:\Program Files\Del.js"

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NAV CfgWiz"="C:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"avp"="C:\\windows\\avp.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas .exe\" /minimized"
"Printer"="C:\\windows\\system32\\printer.exe"
"smgr"="mgrs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Lrir"="\"C:\\DOCUME~1\\Owner\\APPLIC~1\\SMANTE~1\\notepad.exe\" -vt ndrv"
"Vhzydt"="\"C:\\Program Files\\Common Files\\W?nSxS\\i?xplore.exe\""
"Dot1XCfg"="C:\\Program Files\\Dot1XCfg\\Dot1XCfg.exe"
"Spoolsv"="C:\\windows\\system32\\spoolvs.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D4576C73-52BD-4401-B966-5A128C4433D4}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\EasyShare Registration Task.job
C:\windows\tasks\ISP signup reminder 1.job
C:\windows\tasks\ISP signup reminder 2.job
C:\windows\tasks\ISP signup reminder 3.job
C:\windows\tasks\Norton AntiVirus - Scan my computer.job
C:\windows\tasks\Symantec NetDetect.job
C:\windows\tasks\WebReg Photosmart C4100 series.job

Completion time: Thu 01/17/2008 15:08:36.96
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

greyknight17 · Joined: Feb 03, 2003 Posts: 4946 Location: Brooklyn, NY

Welcome to Lockergnome.

Please try not to follow any user's fix, especially with the combofix tool. Things may go wrong when using this tool...

Read this topic and reply back with the HijackThis log when ready.

kfisk · Joined: Jan 17, 2008 Posts: 5

First of all, thank you for responding. Secondly, I tried to download Cleanup! amongst all the chaos my computer was doing and when I tried to open it up it said something along the lines that it was supposed to be 60,000 bytes, but the file was only 30,000 bytes so it couldn't open. So, I decided to skip it after several failed attempts. I then moved on to the Windows updates and finished that up. I then moved onto the TrendMicro website and clicked on the download link. Unfortunately each page I brang up was freezing on me (because I tried several times). Since there was too much happening on my computer, I decided to restart, but now when I restart, all that shows up is my desktop photo. Nothing else. There's absolutely nothing showing up for me to click on. I have tried to restart several times now and this keeps happening each time. If you could give me any advice as to what to do now, please let me know. Thank you.

kfisk · Joined: Jan 17, 2008 Posts: 5

Please disregard that last message I posted. I managed to get my computer to load, so I am in the process of doing the steps on that link. I will post my Hijack log when I finally get to that part.

kfisk · Joined: Jan 17, 2008 Posts: 5

Ok, well, I was almost done with all the steps and had gotten to the Spybot. Everytime I would click on the Installation for it ( I tried several times and tried to push the buttons really fast several times before it would disappear) the screen for it would magically disappear (I dont know if this is a side effect of the spyware?). I was going to try and reinstall it (which I had to do a couple of times with the other programs because they would stop working and then wouldnt work anymore after the first time). Anyways, now it is not allowing me to connect to the internet. So, I can't reinstall spybot and I cant get to the Hijackthis. I can definitely tell that there is still a bunch of crap on my computer even after doing all those other programs to delete stuff. And I opened up "My Documents" and noticed there were a TON of files that were there that werent supposed to be and I tried to delete them on their own, but it said they were being used so they couldn't be deleted. At this point, I dont know what to do since I can't connect to online on it (our other laptop is working just fine on the wireless connection). I even tried to hook the infected laptop up with the ethernet cable, but it still wouldn't connect. Any advice at this point would be appreciated Sad

Also, if I just totally fully reinstall Windows on it, will this cure my problem?? Or will this aweful crap still be on it??

greyknight17 · Joined: Feb 03, 2003 Posts: 4946 Location: Brooklyn, NY

If you want to reinstall Windows, you should go with the clean install (wipe everything out). If you have data you need, you should back them up now before reinstalling Windows.

Otherwise, if you want to continue, you can always get HijackThis from another computer and put it on a floppy Wink

Before doing that, run the below instead of CleanUp (it should clean just as much if not more junk):

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Post the HijackThis log when ready...or if you decide to reinstall Windows, let me know so I can lock this topic.

kfisk · Joined: Jan 17, 2008 Posts: 5

Unfortunately, it's consumed my computer so much that when Windows loads all the way, it begins to shut down by itself. Which unfortunately means I can't even save some things that I had wanted to. So, I wouldn't be able to even use HijackThis from a Disk. So I guess my only option is to reinstall Windows (which hopefully it doesnt keep shutting down on me while I try). Thank you so much though for your advice. I will probably run all those programs once I reinstall just to make sure it is totally gone and if it's still there, you will be hearing back from me! Wink

greyknight17 · Joined: Feb 03, 2003 Posts: 4946 Location: Brooklyn, NY

If you have another computer (spare in the house or go to a friend's house), I recommend taking out the hard drive and installing it to the other computer as a slave drive and get your data off from it. Double check to make sure you got everything.

Then go back to this computer and reinstall Windows. I recommend doing a clean install (the XP CD will say it detected a current version of Windows installed). Just blow that away and install it from a clean state for the best performance in the long run.