antispyware master and outerinfo problem

[ExtremeG]

I was just browsing the net and this pop up came up on my screen called antispyware master which I hadn't installed and it started doing a scan on my computer and it came up with all these things so clicked the X to close it then I got this folder in my start>programs called outerinfo containing a RTF called terms and a uninstaller that doesn't work.

So I run adware SE with the latest definitions and clear up some stuff then I run spybot and it comes up with "Alexa Related" so I check the box to fix that, then I go on WinPatrol which has been notifying me of everything that happened, I go on active tasks and kill some of the processes that look dodgy and immediately my CPU usage dropped from 100% to 5% but I still haven't got rid of it as I'm getting security warnings and WinPatrol keeps popping up saying "

I done a scan with Ewido Security Suite and this is the report:

+ Duration: 84 min

+ Scanned Files: 160264

+ Speed: 31.68 Files/Second

+ Infected files: 0

+ Removed files: 0

+ Files put in quarantine: 0

+ Files that could not be opened: 30

+ Files that could not be cleaned: 0

+ Ignore extension: Yes

+ Binder: Yes

+ Crypter: Yes

+ Memory: No

+ Archives: No

+ Heuristic: No

+ Scanned items:

C:\

+ Scan result:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> File could not be opened

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> File could not be opened

C:\Documents and Settings\User\Favorites\???????.url -> File could not be opened

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened

C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_744.dat -> File could not be opened

C:\Documents and Settings\User\NTUSER.DAT -> File could not be opened

C:\Documents and Settings\User\ntuser.dat.LOG -> File could not be opened

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened

C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened

C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened

C:\Documents and Settings\NetworkService\NTUSER.DAT -> File could not be opened

C:\Documents and Settings\NetworkService\ntuser.dat.LOG -> File could not be opened

C:\hiberfil.sys -> File could not be opened

C:\pagefile.sys -> File could not be opened

C:\Program Files\LimeWire\Incomplete\T-6652526-jme sens vide?.mp3 -> File could not be opened

C:\WINDOWS\system32\ace2\bmv35gui.exe -> File could not be opened

C:\WINDOWS\system32\config\default -> File could not be opened

C:\WINDOWS\system32\config\default.LOG -> File could not be opened

C:\WINDOWS\system32\config\SAM -> File could not be opened

C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened

C:\WINDOWS\system32\config\SECURITY -> File could not be opened

C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened

C:\WINDOWS\system32\config\software -> File could not be opened

C:\WINDOWS\system32\config\software.LOG -> File could not be opened

C:\WINDOWS\system32\config\system -> File could not be opened

C:\WINDOWS\system32\config\system.LOG -> File could not be opened

::Report End

Also in WinPatrol I have these in my IE helpers, should I remove them?

rqrpmlih.dll

hgghfdbb.dll

{9c160a27-687a-4b38-7069}

On Active Tasks I have 2 instances of Lsass.exe, one is LSA shell (export version) and the other comes up as unknown title.

Help

[Juts]

I'de recommend try a tool called combofix, we've been using it a work, and it's a powerful tool. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Some antivirus programs will recognize it as a virus, but i promise it is a legit tool. Also, you might want to try a tool called hijackthis. It can generate a log report of suspicious activity, and then help

identify the problem components.

[AdzzzUK]

Also in WinPatrol I have these in my IE helpers, should I remove them?

rqrpmlih.dll

hgghfdbb.dll

{9c160a27-687a-4b38-7069}

Yes, remove them. Also download *either* SuperAntiSpyware Free Edition, or Spybot Search & Destroy (or both!), and run a full scan.

Once the scans are run, reboot, download HijackThis, run a full scan and post the log file as a reply to this thread.

HTH,

Ad

[ExtremeG]

Ok I tried removing those IE helpers but only the one in the brackets went away for good, those other two keep coming back so I downloaded those programs and will get a HijackThis log up when that gets done.

[Juts]

How did it go?

[ExtremeG]

Well took ages, I updated my spybot to the current version and it picked up tonnes of stuff then I ran super antispyware and cleared loads of stuff out so I rebooted and installed then ran HijackThis and my log is as follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:51:49, on 15/04/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HDD Thermometer\HDD Thermometer.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transtec.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.2

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\System32\hgghfdbb.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll (file missing)

O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent

O4 - HKLM\..\Run: [Run DLL] C:\WINDOWS\System32\svchost64.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\System32\ptrun32\ptrun32.exe -startup

O4 - HKLM\..\Run: [TimeOut] C:\Program Files\Common Files\TimeOutPC\TimeOutPC.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldwinner.com/games/v42/br...ut/brickout.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: hgghfdbb - C:\WINDOWS\SYSTEM32\hgghfdbb.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 8707 bytes

I'm still getting errors and pop ups from WinPatrol asking me to allow rjgdfp.dll every few minutes

[ExtremeG]

I keep getting these pop ups:

Buffer Overrun Detected

Program C:\WINDOWS\explorer.exe

and

regsvr32.exe application error

the instruction at "0x771214ec" referenced memory at "0x771214ec"

the memory could not be "read" click ok to terminate

what should I do?

[sameru]

ive been meaning to post this reply soooo bad. i found a simple easy way to get rid of the awful lame program knowned as antispyware which installs itself to your computer (i dont know how) and makes its home, cammouflaged from spyware searching programs such as spybot-search and destroy and many more. the first thing i did was to look inside the c drive because everyone knows that everything thats installed in your comp always end up there ( i think), anyway youll find the folder antispyware there but dont delete it (youll need it for the uninstallation, you can delete it once you've done the uninstallation). do a search on your comp (you know the search that searches for all the files inside your comp only) and do a search for antispyware <--- just like i typed it (do a search for all files and folders). youll get the results of all the files in your comp with the name antispyware including the uninstall file, double click the uninstall anitspyware file, follow prompt and bye bye antispyware ;). i know this because i just got that cursed thing today and amazingly even thou im such a comp noob i figured it out in less than 15 minutes :p. i do ask that everyone that reads this post to please past it on to other forums, lots of people are having problems with this spy software and are calling out for help, help them like i helped you k? that's, all enjoy freedom!!!!!! ^_^

[AdzzzUK]

Thanks for posting your HijackThis log - sorry for the delay I've only just got notification of a reply!

Re-run HijackThis (run a scan only), and select the following entries, then click "Fix selected items"

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\System32\hgghfdbb.dll

O4 - HKLM\..\Run: [Run DLL] C:\WINDOWS\System32\svchost64.exe

O20 - Winlogon Notify: hgghfdbb - C:\WINDOWS\SYSTEM32\hgghfdbb.dll

Also go to the following sites and run a full scan from both sites:

Panda ActiveScan

Trend Micro HouseCall

Post back and let us know how you're getting on.

Cheers,

Ad

[ExtremeG]

I ran ActiveScan and it detected 1 active virus which I was allowed to disinfect as a free user, then ran HouseCall which took hours and it cleaned up some stuff but said it couldn't fix Troj_Vundo.bmf and showed a list of dodgy .dll files in my C:/windows/system32 folder

I'm still getting pop ups from WinPatrol asking me if I should allow dodgyfile.dll and I'm getting pop ups from spybot constantly about changed registry settings and stuff