MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 01-29-05, 22:36
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Oinadserve - how do I kill it?!?

I have "Script Error" that pops up (likely due to Google pop-up blocker & Panicware Free Pop-Up stopper) and the site on the error box is always www.oinadserve.com/......

Wow, I've been at this for a while. Also new at posting, so bear with me.

PC: Dell P4 700MHz Win98SE; IE 6+

I've followed all steps under:
MajorGeeks Support Forums - READ ME FIRST BEFORE ASKING FOR SUPPORT Basic Spyware, Trojan And Virus Removal (including safe mode/nonsafe)
I've run HJT and followed:
MajorGeeks Support Forums - NO HIJACK THIS LOG FILES BEFORE READING THIS HJT Tutorial & LOG File Posting

Still, just before posting, I looked in C:\WINDOWS\Temporary Internet Files and Cookies, and there is recreated: default@oinadserve[1].txt and default@www.oinadserve[1].txt

I've searched REGEDIT for oinadserve, can't find anything.

HOW do I get rid of this?
Reply With Quote
Sponsored links
  #2  
Old 01-29-05, 23:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 01-29-05, 23:58
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Oinadserve - how do I kill it?!?

Here is the log file
Attached Files
File Type: log hijackthis.log (5.0 KB, 4 views)
Reply With Quote
  #4  
Old 01-30-05, 00:05
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

Next time please run ALL steps in the READ ME FIRST.
You did not run the TrendMicro Online scan.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 01-30-05, 00:09
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\SYSTEM\AHPLF.EXE


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {6EFF1303-E31A-19C7-8753-60550DF27916} - (no file)
O2 - BHO: (no name) - {2020803E-65D0-5155-A58C-37C6FF6796C2} - C:\WINDOWS\SYSTEM\JFKL.DLL
O4 - HKCU\..\Run: [Tmeiski] C:\WINDOWS\SYSTEM\ahplf.exe


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM\JFKL.DLL
C:\WINDOWS\SYSTEM\AHPLF.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now Empty your Recycle Bin

Now reboot in normal mode and post a new HJT log. And tell us how things are working.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 01-30-05, 00:36
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

I forgot one other thing I wanted you to do:


Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.yahoo.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.yahoo.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 01-30-05, 00:42
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Oinadserve - how do I kill it?!?

Here's the latest. Looks good. I must have run TrendMicro on my work laptop - was doing both at the same time. Sorry about that.

JFKL.DLL didn't exist anywhere - running Win98, so no hidden sys files. Looked in both safe and normal mode. Not in new HJT log.

However - maybe an update can be posted - I searched for AHPLF.EXE from HJT log first on http://www.sysinfo.org/startuplist.php site per the "Read before posting HJT Logs" posting. It didn't find anything. Maybe you can have them add it.
====
Also - on work PC have the O15 Trustzone *.frame.crazywinnings.com entries. I clean and they come back. I did run everything through Step 4 from the main Spyware Post (didn't run the alternative 5&6). This is a W2K machine. Should I start a new thread?
Thanks!
Attached Files
File Type: log hijackthis.log (4.9 KB, 3 views)
Reply With Quote
  #8  
Old 01-30-05, 00:43
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Oinadserve - how do I kill it?!?

we must have been typing at the same time. I'll do your other steps now.
Reply With Quote
  #9  
Old 01-30-05, 00:57
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Oinadserve - how do I kill it?!?

Done. Since I came back here before your additional steps (although before loading IE, I did go to Windows\cookies & windows\Temp Internet Files and got rid of any @oinadserve.txt items) do I need to do any other booting, checking, etc.

Thanks for all the help!
Think next step is a real Firewall & maybe Firefox.
Reply With Quote
  #10  
Old 01-30-05, 12:13
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

Okay! The Win98 HJT log was clean! Is it still running okay now? No more problems?

If it is okay, make sure you have complete all the READ ME FIRST steps on your other (Win2K) PC and the post a HJT log for it. But you said you were having problems with crazywinnings. Do the below first:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
Quote:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004
Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 01-30-05, 22:05
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Oinadserve - how do I kill it?!?

No more problems!! Thanks!!
That was the second time I had it. The first time the only reason I found the exe was because aboutbuster froze on it, searched on it in Google, and found it was 'bad'.

Here is my HJT log for my Win2K machine. Ran all steps (through item 4) in the "Read this first" post, all in safe mode. I think your REG item worked for crazywinnings, not sure if anything else is left over. Anything manh.com is fine.

Thanks!
Attached Files
File Type: log hijackthis.log (7.7 KB, 2 views)
Reply With Quote
  #12  
Old 01-30-05, 22:14
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {8ADE2CAD-B2B7-38AF-152E-25EAEDD4ED85} - (no file)
O23 - Service: WLTRYSVC - Unknown - C:\WINNT\System32\wltrysvc.exe C:\WINNT\System32\bcmwltry.exe (file missing)

As a matter of safety, my opinion is that nothing belongs in your Trusted Zone. Unless you cannot get your software or connections to this site to work with out this, I would remove it. And if it is require for some reason, I would ask why. It should not be necessary.
O15 - Trusted Zone: http://ma-atl15.manh.com
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #13  
Old 02-01-05, 08:22
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Talking Re: Oinadserve - how do I kill it?!?

Things look clean, got rid of the entries.
Figured I'd post one more HJT log to ensure all clean.
All the help is incredibly appreciated.
:D
Attached Files
File Type: log hijackthis.log (7.6 KB, 1 views)
Reply With Quote
  #14  
Old 02-01-05, 15:59
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

You're log is clean. So I assume everything is working okay now?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #15  
Old 02-01-05, 16:56
go4hlp go4hlp is offline
Private E-2
 
Join Date: Jan 2005
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Oinadserve - how do I kill it?!?

All DONE, baby!!!
The best smiley yet: what we say to all this crap:
Thanks again.
Reply With Quote
Sponsored links
  #16  
Old 02-01-05, 19:44
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,321
Thanks: 61
Thanked 7,641 Times in 4,114 Posts
Default Re: Oinadserve - how do I kill it?!?

Your welcome! Make sure you do the steps in the below thread:

How to Protect yourself from malware!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:46.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger