harris9999
asked on
Spyware - wixawin.com pop ups
Hi,
On a PC when i open an IE7 windows it stays at my homepage for a while then another window pops up with the address:
http://www.wixawin.com/uk/ads/christmaspin.aspx?clickid=0006Uq0000001AmDHBjE&ce_cid=0006Uq0000001AmDHBjE
This happens all the time althought sometimes it can be a different address.
The PC has Symantec Client Security v9 on it but the Auto Protect has been disabled and I can't enable it again.
I have tried AdAware, SpyBot Search & Destroy, Spyware Blaster & Spyware Guard, but still can't get rid of it.
Any idea's?
On a PC when i open an IE7 windows it stays at my homepage for a while then another window pops up with the address:
http://www.wixawin.com/uk/ads/christmaspin.aspx?clickid=0006Uq0000001AmDHBjE&ce_cid=0006Uq0000001AmDHBjE
This happens all the time althought sometimes it can be a different address.
The PC has Symantec Client Security v9 on it but the Auto Protect has been disabled and I can't enable it again.
I have tried AdAware, SpyBot Search & Destroy, Spyware Blaster & Spyware Guard, but still can't get rid of it.
Any idea's?
ASKER
HiJack Log:
Logfile of HijackThis v1.99.1
Scan saved at 21:23:57, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\jxieun uu.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\LogMeIn\x86\RaMaint. exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc .exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.e xe
C:\WINDOWS\system32\wscntf y.exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis_19 9\HijackTh is.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.translink.co.uk/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C 6B60AAEBA6 D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\Se tRefresh.e xe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATI9HE.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX620 Series on FRANK] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATI9HE.EXE /P45 "Auto EPSON Stylus Photo RX620 Series on FRANK" /O16 "\\FRANK\Printer2" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [\\FRANK\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATI9HE.EXE /P39 "\\FRANK\EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain. exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h tm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\MSNMES~1\MSGRA P~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\MSNMES~1\MSGRA P~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~ 3\GOEC62~1 .DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9 4D524869DB 5} - C:\WINDOWS\system32\WPDShS erviceObj. dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jxieun uu.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManage r.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint. exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn. exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Logfile of HijackThis v1.99.1
Scan saved at 21:23:57, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\jxieun
C:\WINDOWS\System32\svchos
C:\Program Files\LogMeIn\x86\RaMaint.
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\system32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\LogMeIn\x86\LogMeInS
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.e
C:\WINDOWS\system32\wscntf
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis_19
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\Se
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX620 Series on FRANK] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [\\FRANK\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jxieun
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManage
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
C:\WINDOWS\system32\jxieun uu.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jxieun uu.exe
Thats the only bad thing I see....If you can safely delete these 2 entries, then from what it looks like you might have this one nailed.....
SuperAnti Spyware should even get this one.....
O23 - Service: DomainService - - C:\WINDOWS\system32\jxieun
Thats the only bad thing I see....If you can safely delete these 2 entries, then from what it looks like you might have this one nailed.....
SuperAnti Spyware should even get this one.....
ASKER
Ok, the SuperAntiSpyware is currently running 20 minutes so far and has found quite a few threats.
I will try the Combo Fix if this is unsuccessful.
I will try the Combo Fix if this is unsuccessful.
O23 - Service: DomainService - - C:\WINDOWS\system32\jxieun uu.exe
C:\WINDOWS\system32\jxieun uu.exe
the above is the only nasty showing in your logfile, but some other nasties can hide from the scan.
As John6767 suggested delete this file --> C:\WINDOWS\system32\jxieun uu.exe
You also need to stop and delete this service --> DomainService
Go to Start Menu > Run > type
cmd
Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:
sc stop DomainService
sc delete DomainService
exit
And delete this file --> C:\WINDOWS\system32\jxieun uu.exe - either using Hijackthis "delete file on reboot" or in safe mode, you have to kill the running process first. Or use a third party tool like Killbox.
2. Or another option is Combofix, as InDiGenus suggested, combofix also gets rid of it.
C:\WINDOWS\system32\jxieun
the above is the only nasty showing in your logfile, but some other nasties can hide from the scan.
As John6767 suggested delete this file --> C:\WINDOWS\system32\jxieun
You also need to stop and delete this service --> DomainService
Go to Start Menu > Run > type
cmd
Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:
sc stop DomainService
sc delete DomainService
exit
And delete this file --> C:\WINDOWS\system32\jxieun
2. Or another option is Combofix, as InDiGenus suggested, combofix also gets rid of it.
http://www.hijackthis.de
Also, install and update Super Anti Spyware and reboot to Safe Mode.
Then do a full scan, and see what it finds. Then you can even do an Online Virusscan for Housecall if you use Safe mode w/ networking.
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection)
Housecall Online Free Virus Scanner
http:\\housecall.trendmicro.com
Great to do an online Scan in Safe Mode w/ networking