oinadserver popup removal[resolved]

Comments

• Crunchie Mandurah. Western Australia. Member

  January 2006 edited January 2006

  Can you please do the following.
  
  Run the PurityScan uninstaller.
  
  ===============
  
  Please visit at least two of the following sites for an online virus scan:
  
  BitDefender Free Online Virus Scan
  http://www.bitdefender.com/scan/licence.php
  Make sure you tick AutoClean under Scan Options.
  
  Panda ActiveScan
  http://www.pandasoftware.com/activescan/com/activescan_principal.htm
  Make sure you tick Disinfect automatically under Scan Options.
  
  Housecall at TrendMicro
  http://housecall.trendmicro.com/housecall/start_corp.asp
  Make sure you tick Auto Clean.
  When it completes, post back the full filename of any files that cannot be cleaned or deleted.
  
  eTrust Antivirus Web Scanner
  http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
  
  ===============
  
  Now, let's open a command prompt by going to the start menu and then select 'Run'.
  
  In the box that pops up type in 'cmd'. The command prompt will open.
  
  OR
  
  You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:
  
  regsvr32 /u owngjmv.dll
  regsvr32 /u tfhgqdp.dll
  
  It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.
  
  ===============
  
  Let's look for, and delete, any program segments (prefetches) that might be present, and are associated with the 'problems' we're trying to remove from your PC. To do this, let's:
  
  1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:
  
  ??anregw.exe*
  eetu.exe*
  
  2) Then if any are found in the 'prefetch' folder, delete them.
  
  Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.
  
  ===============
  
  Run HiJackThis then:
  
  1. Click "Open the Misc Tools Section"
  2. Click "Open Process manager"
  
  -
  
  Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
  
  C:\WINDOWS\system32\??anregw.exe
  C:\Program Files\rdso\eetu.exe
  
  Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
  
  ===============
  
  Scan with HiJackThis, then check(tick) the following, if present:
  
  
  R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
  
  R3 - URLSearchHook: (no name) - {B79E1944-80F8-D558-F03B-8EEA1CBC7C92} - C:\WINDOWS\system32\tfhgqdp.dll
  
  O2 - BHO: (no name) - {2E07BA49-75F2-7151-A6EE-73D58F25E492} - C:\WINDOWS\system32\owngjmv.dll
  O2 - BHO: (no name) - {B79E1944-80F8-D558-F03B-8EEA1CBC7C92} - C:\WINDOWS\system32\tfhgqdp.dll
  
  O4 - Startup: MX240a.lnk = ?
  
  O15 - Trusted Zone: http://click.getmirar.com (HKLM)
  O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
  O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
  
  O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
  
  O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
  
  
  Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
  
  ===============
  
  Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
  
  folders...
  
  C:\Program Files\rdso
  
  files...
  
  C:\WINDOWS\system32\tfhgqdp.dll
  C:\WINDOWS\system32\owngjmv.dll
  C:\WINDOWS\scvhost.exe
  
  -
  
  Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
  
  -
  
  Reboot.
  
  ===============
  
  To help protect your system from hostile ActiveX content, or special 'downloadable' files:
  
  Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
  
  1) Check for any available updates; if present, they'll be automatically downloaded and installed.
  2) Next, "Enable all protection".
  3) Exit the program.
  
  -
  
  Note: Remember to regularly check for updates.
  
  ===============
  
  After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

  0
• campchaos1

  January 2006 edited January 2006

  Crunchie,
  
  Thank you very much for your help. The computer is running much better now, and I've had no popups! I ran the PurityScan uninstaller, Panda ActiveScan and the eTrust Antivirus Web Scanner, and then the rest of your instructions. The only thing I did not do was remove the reference to MX240a. This is some SW that is run at startup for an IMFree device and I was afraid that if I removed it, it might not run???
  
  Here is the new HijackThis result -
  
  Logfile of HijackThis v1.99.1
  Scan saved at 11:30:29 PM, on 1/30/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
  C:\WINDOWS\system32\crypserv.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
  C:\Program Files\Dantz\Retrospect\retrorun.exe
  C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\system32\WDBtnMgr.exe
  C:\Program Files\Analog Devices\Core\smax4pnp.exe
  C:\WINDOWS\System32\hkcmd.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
  C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  C:\Program Files\iTunes\iTunesHelper.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\iPod\bin\iPodService.exe
  C:\Program Files\Common Files\AOL\1123471094\ee\AOLHostManager.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\MX240a\MX240a_AOL.exe
  C:\Program Files\Common Files\AOL\1123471094\ee\AOLServiceHost.exe
  c:\program files\common files\aol\1123471094\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1123471094\ee\AOLServiceHost.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\Program Files\HijackThis\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/60004?lswe=60004&lwsa=WeatherLocalUndeclared&from=whatwhere
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
  O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
  O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
  O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123471094\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
  O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  O4 - Startup: logon.bat
  O4 - Startup: MX240a.lnk = ?
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
  O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
  O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
  O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
  O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
  O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123808350343
  O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
  O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
  O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
  O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
  O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
  
  
  
  Does this look ok to you?
  
  
  Again, thank you for your help! I really appreciate it.

  0
• Crunchie Mandurah. Western Australia. Member

  January 2006 edited January 2006

  The '?' in O4 - Startup: MX240a.lnk = ? indicated a broken shortcut and is why I marked it for deletion. The program will still work without it . If the shortcut does work, then ignore me.
  
  ==
  
  Go to;
  
  Start>>Run and type regedit
  Press enter.
  Navigate to:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Security Authority Subsystem Service (lsass)
  
  If Local Security Authority Subsystem Service (lsass) exists , right click on it and choose delete from the menu.
  
  Now navigate to:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Local Security Authority Subsystem Service (lsass)
  
  If LEGACY_Local Security Authority Subsystem Service (lsass) exists then right click on it and choose delete from the menu.
  
  ==
  
  Reboot and if that entry has gone, you are good to go .

  0
• campchaos1

  January 2006 edited January 2006

  I was deleted both of the LSASS entries. The
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Local Security Authority Subsystem Service (lsass)
  
  had permission errors, but I was able to change the permissions and delete it.
  
  Everything seems to be working well!
  
  Again, I really appreciate your help.

  0
• Crunchie Mandurah. Western Australia. Member

  February 2006 edited February 2006

  Now that your PC is clean you need to follow these easy steps to keeping it this way:
  
  Secure your Internet Explorer by going here and following the instructions there.
  
  Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
  
  Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
  
  Install and keep updated, Ewido anti-malware, Ad-Aware SE and Spybot S&D.
  Run them both on a regular basis, following the manufacturer's recommendations.
  
  Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
  
  Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
  
  
  Clear your Temp folders.
  Clear out your Temporary internet files and other temp files.
  Go to Start > Settings > Control Panel >Internet Options.
  Under the General tab click the Delete temporary internet files,
  delete all Offline content as well. Clear out Cookies.
  
  Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
  
  Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
  
  C:\Documents and Settings\username\Local Settings\Temp\
  
  In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
  
  Empty the Recycle Bin.
  
  For XP users.
  After something like this it is a good idea to Flush the Restore Points and start fresh.
  To flush the XP system Restore Points.
  
  Go to Start>Run and type msconfig. Press enter.
  
  When msconfig opens, click the Launch System Restore Button.
  On the next page, click the System Restore Settings link on the left.
  
  Check the box labelled 'Turn off System restore'.
  
  Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
  
  Note that all previous restore points will be lost.
  
  ===============
  
  If you have any more problems, post back.
  
  -
  
  Happy surfing,
  
  crunchie.

  0