“Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups :(

Hi there, I’ve been fighting popups for the last two weeks, and finally decided I need help. I’ve been getting the following pop-ups when I’m connected to the internet:

1. http://ad.oinadserver.com website popups (very frequent). Can be closed by right-clicking on the tab at the bottom of my screen.

2. “Server Busy” (“This action cannot be completed because the other program is busy etc…”) pop-up which won’t close, even when I quit all my running programs. It does not appear as a running application in Windows Task Manager. Sometimes it causes my internet site to crash, sometimes I can keep running the window, but the pop-up remains in the foreground, middle of the page. CanNOT be closed by right-clicking on the tab at the bottom of my screen. Appears as an ERROR (source: VSS, EventSystem, or Application Hang; sometimes followed by a Warning) in my Application Log of my Control Panel Event Viewer.

3. Occasional Screensavers.com pop-ups. Can be closed by right-clicking on the tab at the bottom of my screen.

4. Sfondi Desktop. CanNOT be closed by right-clicking on the tab at the bottom of my screen, but can be closed (along with all other internet browsers) by hitting ALT+F4.

5. Recently, a new one has come up dealing with Christmas Screensavers… Definitely NOT putting me in the holiday spirit!!!


I have a Yahoo toolbar pop-up blocker running. I don’t frequent gambling, XXX or any such sites (the most adventurous I get is browsing news articles on MSN.com and MSN.ca).Yesterday I ran Microsoft Antispyware and removed 3 items (a copy of my logfile is attached).

I’ve followed all the steps listed in the “READ & RUN ME FIRST Before Asking For Support” thread you have posted in the Spyware Specific forum. Manual uninstall (Add/remove programs) removed two versions of the Viewpoint program. Online virus scan revealed nothing using TrojanScan, and two Spyware hits using Panda ActiveScan (C:\Program Files\rdso\eetu.exe and C:\PROGRAM FILES\RDSO\EETU.EXE). I manually deleted the C:\Program Files\rdso\eetu.exe after I ended its process in my process tree, but could not find the capitalized version of the file.
I rebooted in Safe Mode (no network access). Ran a program called Cleanup.exe (very similar to Ccleaner). I also ran the rest of the 4 antivirus/spyware programs you listed, and they came up clean.

I’ve attached my HijackThis logfile. Can you please let me know if you find anything that could be causing these problems? This is driving me nuts!! Thanks!



Some more info on my computer (Dell):
Internet access is through a wireless hub shared with 3 other computers. My internet speed is sporadically slow to the point of being non-existant. Other times it’s fine.

Operating system information:
Microsoft Windows XP home edition, Version XP retail, Service Pack 1
OS kernel type: Uniprocessor free
OS features: Network present [yes]

Memory:
Total 254
Used: 169
Free 84
Utilization 67%

Virtual memory:
Total 879 mb
Used: 420
Free459
Utilization 48%

CPU: Intel Celeron 4A; 2400 MHz (6 x 400)


Hope this helps!

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

Follow the directions for Running Spy Sweeper.

Post the Spy Sweeper log and a Fresh HijackThis log when finished.

 

Brilliant. I've run SpySweeper, and it came up with 2 hits that the other antispyware programs missed. The logfile's posted, as well as a new hijackthis file. So what do you think, am I clear??? If I am, I declare you a hero in spyware trench warfare, Shadow_puter_dude. If not... weeell, it's a start

 

Crud. Apparently not. I just had the http://ad.oinadserve pop-up come up again... *sigh* Any advice?

 

Yep, the christmas screensaver pop-up just showed up again. Not out of the woods yet, I'm afraid. I just got the suggestion to hit the machine with a mallet - apparently is scares the spyware away...

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

OK, before I start giving you any fixes I need you to do this first, and we will go from there.

Launch Notepad, and copy the text in the box below into a new text file, save as

File name: Findfile.bat
Save as type: All files

Save it to your desktop

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text in your reply

 

Wow, now we're getting into foreign territory for me! Here's the resulting text that came up in Notepad:



Volume in drive C has no label.
Volume Serial Number is 4C41-C2F1

Directory of C:\WINDOWS\system32

28/11/2005 08:24 AM 401,408 r?ndll.exe
1 File(s) 401,408 bytes

Directory of C:\Documents and Settings\Peta\Desktop




Hope this helps, and THANK YOU for your help!!!!

 

In case this might sound like a familiar form of spyware, here's what esle I've been able to find out about the pop-ups:

The screensavers.com desktop first comes up as sfondi, then changes to screensavers.com

The "Server busy" warning changes to an error message when I ignore it long enough, saying "An error has occurred in the script on the page". The error points me to the following source: file://C:\Documents and Settings\Peta\Local Settings\Temp\NDrB7.tmp.html
This is strange to me, since I wiped all the temp files...

Hope this helps,
Cheers!

 

Well now, as if that wasn't enough, I've got a new development. I got the Internet Explorer Script Error again after I ignored the Server Busy pop-up. Tried to shut it down by right-clicking at the bottom of the screen, no luck this time. So I shut down all of my browser windows, still didn't get rid of the message, but somehow I had a simultaneous opening of my hotmail inbox in 4 new separate windows.
Also, spy-sweeper blocked the new installation of eetu.exe to my startup about 20 minutes ago.

 

yep, me again. On a hunch, I checked frogram files for rdso\eetu.exe. Yep, there it was again. Ended eetu.exe in my process tree, deleted the folder from program files, emptied my recycle bin. Simultaneously, Spy sweeper shield picked up the following program change:

Startup Item: Aida
Product name not provided
Company name not provided
Copyright information not provided
Location: c:\program files\rdso\eetu.exe
Registry of Startup folder: HKCU: Run

Getting a little bit exasperated...

 

Program Files\rdso\eetu.exe installation is not being blocked by Spy sweeper. It is being detected as Aida, and spy sweeper considers the problem solved when I click to remove it. However the rdso folder is in my Program Files at the next reboot, and eetu.exe is running its process in Windows task manager. SHIFT+delete only gets rid of it until the next reboot.

 

The "server busy" pop up closes when I end the eetu.exe and rundll.exe processes in windows task manager. Sorry if this is more info than you need - though it may help someone else diagnose if they have the same problem...

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

Please don't try to remove these on your own. You could make things worse. Sometimes just deleting the file won't work. Often there is more that gors allong with the infecton that will bring it back at system start.

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

The instructions you provided must have taken quite a bit of work - I appreciate that...

There were a couple of deviations from your instructions:

C:\Program Files\rdso\eetu.exe was not present for me to delete using HJT, however I did get find and delete the entire \rdso\ folder using ExplorerXP.
After I ran CleanUp! in safe mode, onle file was left over in C:\WINDOWS\Prfetch, called RYNDLL.EXE-0405112F.pf. I deleted this and emptied the recycle bin before rebooting in safe mode.

My hijackthis file's attached - lets hope I'm clean!

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

OK, your HijackThis log is clean.

I want to take a deeper look at your system.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Only too happy to oblige Shadow_Puter_Dude, especially after your rescuing me from pupup hell (eetu.exe and rundll are both gone, and no popus thus far!). Here's what WinPFind came up with... see anything interesting?
Cheers!

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

Boot to Safe Mode, open Windows Explorer and delete the following:

Reboot

Tell me how your computer is running?

 

Done as instructed I'm not seeing any changes to computer function. I'm guessing this means I didn't need those dusty old files, and they may have been some kind of malware? If there's anything else you'd like to take a look at, just let me know.
By the way, is there a forum where I can tell other users about your wonderfoul help? My blood pressure has gone down substantially!

 

Correction: as I'm running through my programs, I think there may be a slight increase in speed... Can't figure out if it's all in my head though.

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

If you like we can look around the some more.

Run Panda Online Scan. After the scan attach the log to your next post.

We can also look for root kits. Install and run BlackLight post the log once it has finished scanning your system.

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

Just tell your friends about us, and they can tell their friends.

 

Heh heh, most of my friends already know (I've been raving to them for the last 6 hours)! It's not often that one comes across genuinely helpful, knowldgeable and interested people... Anyways, here's my latest scan report from Panda; one infection found (Blacklight came up clean). Should I just manually delete this one? If I do get rid of it, I shall consider myself not just clean, but sterile!

 

Re: “Server Busy”, http://ad.oinadserver.com, Sfondi Desktop, Screensavers.com popups

No, DO NOT delete that file.

Follow the directions for Running Hoster to reset your hosts file.

For your reading pleasure, How to Protect yourself from malware!.

Your system should now be clean.