Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter #1
Please help! Need help getting rid of pop up from oinadserve. System is slow also, please help!
I have attached my Hijackthis log.
Thanks
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:11:42 AM, on 10/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
D:\Program Files\Movielink\MovielinkManager\Movielink User.exe
C:\WINDOWS\System32\n?svc32.exe
D:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\Michelle\LOCALS~1\Temp\_PA119\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2431ED4A-7380-2420-8A29-2B27B4E5BC95} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\CHATTE~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "D:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [comcat] C:\WINDOWS\System32\comcat.exe
O4 - HKCU\..\Run: [sintfnt] C:\DOCUME~1\Michelle\LOCALS~1\Temp\sintfnt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msvbvm60] C:\WINDOWS\System32\msvbvm60.exe
O4 - HKCU\..\Run: [c0tsRWbFR] cli2disp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Susi] C:\Documents and Settings\Michelle\Application Data\noca.exe
O4 - HKCU\..\Run: [Sgnhafqr] C:\WINDOWS\System32\n?svc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .avi: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npavi32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O23 - Service: Movielink Core Service - Movielink LLC - D:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Security Team (ret.)
Joined
·
7,403 Posts
Hi and Welcome
It may help to print out or copy this page as you will be working in Safe Mode.. Make sure to work through the fixes in the exact order its listed..

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.


Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/



SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.

Folders that have been highlighted RED will need to be uninstalled.

------------------------------------------------------------------



Please download Ewido Security Suite

Install Ewido Security Suite.
When installing, under 'Additional Options' uncheck: "Install background guard" and "Install scan via context menu"

To open the main screen double click the icon on the desktop.

You will get a warning 'Database could not be found!'.(only if no updated have first been installed) Click OK.

Update to the latest definition files.On the left of the main screen click Update.Then click on Start Update.Let it complete the updates.

Carry out this next part in Safe Mode

Now Click on Scanner and Click on Complete System Scan and the scan will start.

During some scans it may find cases of false positives so you will need to step through the process of cleaning files one-by-one.

If a file is detected you KNOW to be legitimate, select None as the action. Do NOT select 'Perform action on all infections'

If you are unsure of any entry found play safe and select None as the action.
Press the button marked Save Report

Save the report .txt file to your desktop or somewhere you can find it.Post it back with your next HJT log.



-----------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------

Uninstall the following programs (if they still exist) Go into HijackThis->Config->Misc.Tools->Open Uninstall manager

Winupdates

-----------------------------------------------------------------


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following exe file and click End Process for each one if they are listed.

cli2disp.exe
requester.10.exe
comcat.exe
n?svc32.exe
msvbvm60.exe


------------------------------------------------------------------

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: (no name) - {2431ED4A-7380-2420-8A29-2B27B4E5BC95} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [comcat] C:\WINDOWS\System32\comcat.exe
O4 - HKCU\..\Run: [sintfnt] C:\DOCUME~1\Michelle\LOCALS~1\Temp\sintfnt.exe
O4 - HKCU\..\Run: [msvbvm60] C:\WINDOWS\System32\msvbvm60.exe
O4 - HKCU\..\Run: [c0tsRWbFR] cli2disp.exe
O4 - HKCU\..\Run: [Susi] C:\Documents and Settings\Michelle\Application Data\noca.exe
O4 - HKCU\..\Run: [Sgnhafqr] C:\WINDOWS\System32\n?svc32.exe

------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s
Also delete the following red folder/s

C:\WINDOWS\System32\cli2disp.exe
C:\WINDOWS\System32\requester.10.exe
C:\WINDOWS\System32\comcat.exe
C:\WINDOWS\System32\n?svc32.exe
C:\WINDOWS\System32\msvbvm60.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\sintfnt.exe
C:\Documents and Settings\Michelle\Application Data\noca.exe

C:\Program Files\winupdates

-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......

NOTE........................

You really need to make your computer more secure from malware. I would advise you update your Windows and IE Browser security to SP1 or SP2 .Is there any reason why you dont have it ?.You are wide open to infection with raw XP.Once you hit the net you could get reinfected and that would all be a waste of time after carrying out this cleaning..

http://www.microsoft.com/windowsxp/sp2/default.mspx
http://www.microsoft.com/windowsxp/...p1/default.mspx
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(s) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\WINDOWS\System32\Launcher.exe
C:\WINDOWS\System32\n?svc32.exe


Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://proxy/:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2431ED4A-7380-2420-8A29-2B27B4E5BC95} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [comcat] C:\WINDOWS\System32\comcat.exe
O4 - HKCU\..\Run: [sintfnt] C:\DOCUME~1\Michelle\LOCALS~1\Temp\sintfnt.exe
O4 - HKCU\..\Run: [msvbvm60] C:\WINDOWS\System32\msvbvm60.exe
O4 - HKCU\..\Run: [c0tsRWbFR] cli2disp.exe
O4 - HKCU\..\Run: [Susi] C:\Documents and Settings\Michelle\Application Data\noca.exe
O4 - HKCU\..\Run: [Sgnhafqr] C:\WINDOWS\System32\n?svc32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\System32\Launcher.exe
C:\WINDOWS\System32\n?svc32.exe
C:\WINDOWS\System32\requester.10.exe
C:\Program Files\winupdates\winupdates.exe
C:\WINDOWS\System32\comcat.exe
C:\WINDOWS\System32\msvbvm60.exe
C:\Documents and Settings\Michelle\Application Data\noca.exe
cli2disp.exe
<--locate and delete that file.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Once back to normal windows....

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm
Make sure you click the ”Free Online Virus Scan” in the upper right hand corner of the page under the Free use Activescan header.

We do NOT want the default spyXposer scan. Once it has finished save the activescan log. Then post that log in your next post along with the Ewido log and a new hijackthis log.


IMPORTANT!:


Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If your having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/download/5/4/f/54f8bcf8-bb4d-4613-8ee7-db69d01735ed/xpsp1a_en_x86.exe



Thank you for your cooperation.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top