Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Oinadserver Is Very Frustrating!

  • Please log in to reply
5 replies to this topic

#1 drummerguy


  • Members
  • 6 posts
  • Local time:03:35 AM

Posted 18 December 2006 - 02:22 AM

I use IE, I have ran all of the anti-virus, spyware/malware stuff and I continually have recurring popups from oinadserver. I googeld it and came across Bleepingcomp.com and well, your my last hope!

Thanks so much for your time and patience.


William (drummerguy)

PS. I am mostly computer illiterate :thumbsup: , so could you please explain EVERYTHING, step by step? Thanks!

BC AdBot (Login to Remove)


#2 drummerguy

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:35 AM

Posted 18 December 2006 - 02:45 AM

Here is the HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 11:08:23 PM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\William\My Documents\?icrosoft\n?tepad.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ucr.edu:8080
R3 - URLSearchHook: (no name) - {9FF3E4E8-0555-55A7-25F7-0545737E7397} - C:\WINDOWS\system32\aqakh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {9FF3E4E8-0555-55A7-25F7-0545737E7397} - C:\WINDOWS\system32\aqakh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uahe] "C:\WINDOWS\system32\ASEMBL~1\regedit.exe" -vt ndrv
O4 - HKCU\..\Run: [Ytbkyaky] C:\Documents and Settings\William\My Documents\?icrosoft\n?tepad.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#3 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:11:35 AM

Posted 18 December 2006 - 04:32 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.


#4 drummerguy

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:35 AM

Posted 20 December 2006 - 12:33 PM

Here is the combo fix log...

William - 06-12-20 9:19:00.27 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\William\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\William\Application Data\Install.dat

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\William\Application Data\ECURIT~1
C:\QooBox\Purity\Documents and Settings\William\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\William\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\William\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\William\My Documents\MBOLS~1
C:\QooBox\Purity\Documents and Settings\William\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\William\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\William\My Documents\ICROSO~1\n?tepad.exe
C:\QooBox\Purity\Program Files\SKS~1

((((((((((((((((((((((((((((((( Files Created from 2006-11-20 to 2006-12-20 ))))))))))))))))))))))))))))))))))

2006-12-18 07:48 <DIR> d-------- C:\Program Files\SpySheriff
2006-12-17 23:02 <DIR> d-------- C:\Program Files\HijackThis
2006-12-13 16:54 58,880 --a------ C:\WINDOWS\system32\aqakh.dll
2006-12-10 18:40 <DIR> d-------- C:\Program Files\WinBudget

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-13 16:54 2 --a------ C:\WINDOWS\system32\wnstscc.exe
2006-11-16 19:03 -------- d-------- C:\Program Files\QuickTime
2006-11-16 19:03 -------- d-------- C:\Program Files\mobile PhoneTools
2006-11-16 19:03 -------- d-------- C:\Program Files\iTunes
2006-11-16 19:03 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-16 19:02 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-16 18:59 69632 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-11-16 18:59 69632 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-11-16 18:28 -------- d-------- C:\Program Files\Messenger
2006-10-28 15:11 -------- d-------- C:\Program Files\OIN Search
2006-10-04 20:02 53248 --a------ C:\WINDOWS\runepson.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Uahe"="\"C:\\WINDOWS\\system32\\ASEMBL~1\\regedit.exe\" -vt ndrv"
"Ytbkyaky"="C:\\Documents and Settings\\William\\My Documents\\?icrosoft\\n?tepad.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"UC_Start"="C:\\Program Files\\IBM\\Updater\\\\ucstartup.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\\\ibmmessages.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"QCTRAY"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"





[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"FriendlyName"="My Current Home Page"

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"








HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - William.job

Completion time: 06-12-20 9:20:44.46
C:\ComboFix.txt ... 06-12-20 09:20

#5 drummerguy

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:35 AM

Posted 20 December 2006 - 12:34 PM

Here is the HJT log after running combo fix...

Abacast Client
Access IBM
Access IBM Message Center
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
DrumScriobh Viewer
EPSON Printer Software
Finale 2000
Finale 2001a
Google Earth
HijackThis 1.99.1
IBM 32-bit Runtime Environment for Java 2, v1.4.1
IBM Access Connections
IBM Active Protection System
IBM Integrated 56K Modem
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM Update Connector
ImageMixer VCD/DVD2 for OLYMPUS
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® Sebring API
InterActual Player
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.10.3
LiveReg (Symantec Corporation)
LiveUpdate BVRP Software
Microsoft .NET Framework 1.1
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
mobile PhoneTools
MSN Music Assistant
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
OIN Search
PC-Doctor for Windows
Sierra On-Line Games (Remove only)
Sonic Update Manager
Spybot - Search & Destroy 1.4
Star Trek -- Starfleet Academy
Symantec Script Blocking Installer
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
USB MassStorage CardReader
Westwood Shared Internet Components
Windows Media Format Runtime
Windows Media Player 10

#6 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:11:35 AM

Posted 20 December 2006 - 06:06 PM

Hello there,

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

OIN Search

Please download the Suspicious File Packer from here:
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Open the Suspicious File Packer now.
Paste the following bold part into the Suspicious File Packer window:


Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Whilst in safe mode, delete these folders (if present):
C:\Program Files\OIN Search
C:\Program Files\SpySheriff

Boot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Then download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.[/list]
Then download the ResetProtocolDefaults regscript
Download it and save it to your desktop.
Right click it and choose merge.
When it asks you if you want to merge the contents to the registry, click yes/ok.

You might a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Click here to download FindAWF.exe and save it to your desktop:

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Also post a new Hijackthis log, you posted an uninstall list in your last reply.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users