Oinadserve - how do I kill it?!?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by go4hlp, Jan 29, 2005.

  1. go4hlp

    go4hlp Private E-2

    I have "Script Error" that pops up (likely due to Google pop-up blocker & Panicware Free Pop-Up stopper) and the site on the error box is always www.oinadserve.com/......

    Wow, I've been at this for a while. Also new at posting, so bear with me.

    PC: Dell P4 700MHz Win98SE; IE 6+

    I've followed all steps under:
    MajorGeeks Support Forums - READ ME FIRST BEFORE ASKING FOR SUPPORT Basic Spyware, Trojan And Virus Removal (including safe mode/nonsafe)
    I've run HJT and followed:
    MajorGeeks Support Forums - NO HIJACK THIS LOG FILES BEFORE READING THIS HJT Tutorial & LOG File Posting

    Still, just before posting, I looked in C:\WINDOWS\Temporary Internet Files and Cookies, and there is recreated: default@oinadserve[1].txt and default@www.oinadserve[1].txt

    I've searched REGEDIT for oinadserve, can't find anything.

    HOW do I get rid of this?
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. go4hlp

    go4hlp Private E-2

    Here is the log file
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Next time please run ALL steps in the READ ME FIRST.
    You did not run the TrendMicro Online scan.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\SYSTEM\AHPLF.EXE


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {6EFF1303-E31A-19C7-8753-60550DF27916} - (no file)
    O2 - BHO: (no name) - {2020803E-65D0-5155-A58C-37C6FF6796C2} - C:\WINDOWS\SYSTEM\JFKL.DLL
    O4 - HKCU\..\Run: [Tmeiski] C:\WINDOWS\SYSTEM\ahplf.exe


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\SYSTEM\JFKL.DLL
    C:\WINDOWS\SYSTEM\AHPLF.EXE

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Now Empty your Recycle Bin

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I forgot one other thing I wanted you to do:


    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.yahoo.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.yahoo.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
  7. go4hlp

    go4hlp Private E-2

    Here's the latest. Looks good. I must have run TrendMicro on my work laptop - was doing both at the same time. Sorry about that.

    JFKL.DLL didn't exist anywhere - running Win98, so no hidden sys files. Looked in both safe and normal mode. Not in new HJT log.

    However - maybe an update can be posted - I searched for AHPLF.EXE from HJT log first on http://www.sysinfo.org/startuplist.php site per the "Read before posting HJT Logs" posting. It didn't find anything. Maybe you can have them add it.
    ====
    Also - on work PC have the O15 Trustzone *.frame.crazywinnings.com entries. I clean and they come back. I did run everything through Step 4 from the main Spyware Post (didn't run the alternative 5&6). This is a W2K machine. Should I start a new thread?
    Thanks!
     

    Attached Files:

  8. go4hlp

    go4hlp Private E-2

    we must have been typing at the same time. I'll do your other steps now.
     
  9. go4hlp

    go4hlp Private E-2

    Done. Since I came back here before your additional steps (although before loading IE, I did go to Windows\cookies & windows\Temp Internet Files and got rid of any @oinadserve.txt items) do I need to do any other booting, checking, etc.

    Thanks for all the help!
    Think next step is a real Firewall & maybe Firefox.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! The Win98 HJT log was clean! Is it still running okay now? No more problems?

    If it is okay, make sure you have complete all the READ ME FIRST steps on your other (Win2K) PC and the post a HJT log for it. But you said you were having problems with crazywinnings. Do the below first:

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
     
  11. go4hlp

    go4hlp Private E-2

    No more problems!! Thanks!!
    That was the second time I had it. The first time the only reason I found the exe was because aboutbuster froze on it, searched on it in Google, and found it was 'bad'.

    Here is my HJT log for my Win2K machine. Ran all steps (through item 4) in the "Read this first" post, all in safe mode. I think your REG item worked for crazywinnings, not sure if anything else is left over. Anything manh.com is fine.

    Thanks!
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {8ADE2CAD-B2B7-38AF-152E-25EAEDD4ED85} - (no file)
    O23 - Service: WLTRYSVC - Unknown - C:\WINNT\System32\wltrysvc.exe C:\WINNT\System32\bcmwltry.exe (file missing)

    As a matter of safety, my opinion is that nothing belongs in your Trusted Zone. Unless you cannot get your software or connections to this site to work with out this, I would remove it. And if it is require for some reason, I would ask why. It should not be necessary.
    O15 - Trusted Zone: http://ma-atl15.manh.com
     
  13. go4hlp

    go4hlp Private E-2

    Things look clean, got rid of the entries.
    Figured I'd post one more HJT log to ensure all clean.
    All the help is incredibly appreciated.
    :D
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're log is clean. So I assume everything is working okay now?
     
  15. go4hlp

    go4hlp Private E-2

    All DONE, baby!!!
    The best smiley yet: what we say to all this crap: :p
    Thanks again.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds