Remnents of WINmxw32.dll infection and browser hijack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Chev, Nov 22, 2006.

  1. Chev

    Chev Private E-2

    G'day people,

    Looking for some help with my PC... have got remnents it seems of a virus / spyware in my system. I say remnents, because after running all the diagnostic tools in the "Read and Run this First" sticky, a lot of the baddie bugs "seem" to have dissappeared. Though i still get pop-ups in IE(6). I had been getting complete browser hijacks - redirecting me to a website - "www.eupdate.com" which had bogus anti-spyware and the like. That seems to have stopped (for now), but i'm still getting pop-ups and weird cookies wanting to embed, as soon as i click on IE to start, but before the page has even opened.

    Anyway, if i post a HJT log, as well as some of the other logs that i have from running the diagnostics, can someone help me to purge whats left in the system. Looks like it may still have some deep rooted registry changes or something, but i'm not quite sure what to delete, and what not too...

    Thanks in advance,
    Danno.
     

    Attached Files:

    Chev, Nov 22, 2006
    #1
  2. Chev

    Chev Private E-2

    and some more logs...
     

    Attached Files:

    Chev, Nov 22, 2006
    #2
  3. Chev

    Chev Private E-2

    Unfortunately the Bit Defender logs dont show anything now. I ran this scan very late - actually in the early hours of the morning, and it did detect and remove / delete a lot of stuff. I didnt realise at the time, plus the brain was switching off that i had to manually export the log.:(
     
    Chev, Nov 22, 2006
    #3
  4. Chev

    Chev Private E-2

    Ran VundoFix and it picked up a few items.

    Here is the log file of that.
     

    Attached Files:

    Chev, Nov 22, 2006
    #4
  5. Chev

    Chev Private E-2

    And follows is a new HJT log file...
     

    Attached Files:

    Chev, Nov 22, 2006
    #5
  6. Chev

    Chev Private E-2

    After reading another post - i've run a fresh Pandascan with this log file, followed by a fresh HJT log file.
     

    Attached Files:

    Chev, Nov 22, 2006
    #6
  7. Chev

    Chev Private E-2

    reading thru another thread, i thought i would try the SmitFraudFix program, and PC-Cillan detected the program dumphive.exe in the SFF program as a virus/spyware. Is this right?
     
    Chev, Nov 22, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.


    Now attach new logs from:
    • GetRunKey
    • ShowNew
    • HJT
    How are things working now?
     
    chaslang, Nov 22, 2006
    #8
  9. Chev

    Chev Private E-2

    Here is the log file of STEP 1 :




    appreciate the help...
     

    Attached Files:

    Chev, Nov 22, 2006
    #9
  10. Chev

    Chev Private E-2

    STEP 2 :

    rapport2 is the saved text file from clean in safe mode.

    rapport3 is the search again after rebooting from previous clean.

    rapport4 - ran the clean again.

    Now back in normal mode. Machine seems to be behaving itself. No funny pop ups, no browser hijacking. That might be it?
     

    Attached Files:

    Chev, Nov 22, 2006
    #10
  11. Chev

    Chev Private E-2

    Should i post a HJT log now?
     
    Chev, Nov 22, 2006
    #11
  12. Chev

    Chev Private E-2

    Here is my latest HJT log, just to be on the safe side.

    Thanks
    Danno.
     

    Attached Files:

    Chev, Nov 22, 2006
    #12
  13. Chev

    Chev Private E-2

    Oh and here are the latest two
    GetRun
    and
    Shownew files...
     

    Attached Files:

    Chev, Nov 22, 2006
    #13
  14. Chev

    Chev Private E-2

    This site is unreal - the panacea of Malware and spyware. You blokes are doing an excellent job.
     
    Chev, Nov 22, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 8
    Safety Bar
    Now install the current version of Sun Java from: Sun Java Runtime Environment


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\VSAdd-in\VSAdd-in.dll
    C:\WINDOWS\system32\hwxcipjm.exe
    C:\WINDOWS\system32\whsgixil.exe
    Now run Ccleaner.

    Now locate the below folder and delete it if found:
    C:\Program Files\VSAdd-in

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Documents and Settings\Danno\Local Settings\Temp

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 23, 2006
    #15
  16. Chev

    Chev Private E-2

    Deleted files as found.

    Here are the latest log files thanks Chaslang.
     

    Attached Files:

    Chev, Nov 27, 2006
    #16
  17. Chev

    Chev Private E-2

    I've got to say it again mate, thanks for your help.

    As i worked all weekend, (i'm a sparky out there IRL), i havent been back here for the last couple of days. This post of mine was buried back on around page 6 or 7...
    I mention that because it looks like lots of people are constantly requesting your help. How many of you are there helping on this site? It looks like its almost a full time job.
    What are you doing for a crust - programmer or sys admin?

    Anyway, thanks for your help so far. Oh BTW, is this PC ready for a system restore "toggle" yet?

    Danno.
    Australia.
     
    Chev, Nov 27, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not according to your newfiles.txt log. The below shows:
    Code:
    "C:\Documents and Settings\Danno\Local Settings\Temp\"
control.xml   27 Nov 2006         717  "control.xml"
HSPERF~1      27 Nov 2006              "hsperfdata_Danno"
java_i~1.log  27 Nov 2006        1040  "java_install_reg.log"
java_i~2.log  27 Nov 2006       23584  "java_install.log"
jusched.log   27 Nov 2006        1462  "jusched.log"
kcbyheqk.exe  22 Nov 2006        7911  "kcbyheqk.exe"
nbjuqres.exe  22 Nov 2006        7911  "nbjuqres.exe"
pogbyxuy.exe  21 Nov 2006        7911  "pogbyxuy.exe"
rfoujxbc.exe  21 Nov 2006        7911  "rfoujxbc.exe"
vhieityk.exe  21 Nov 2006        7911  "vhieityk.exe"
    The last 5 files (the exe files) all should have been deleted. Why do the still show? They have been there since Nov 21st.
     
    chaslang, Nov 27, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    There are about 5 of us who help out in this forum. 4 of which will spend time fixing problems and 1 who mostly polices and posts the READ & RUN ME message. And then out of the 4 only two of us have been really active over the last few months. No I'm not a Sys Admin. I'm an R&D engineer in telecommunications.

    Not until I'm sure those files have gone away. Once I know they are gone by seeing a new log, I will give you final instructions.
     
    chaslang, Nov 27, 2006
    #19
  20. Chev

    Chev Private E-2

    Sorry mate,
    I wasnt even aware to delete these ones. When it comes to malware deletion/removal i'm still pretty newbie...

    Anyway, i've deleted these specific ones. Is the give away the common byte size on all these rogue files? (7911 bytes)

    New runkey, shownew and hjt logs attached.


     

    Attached Files:

    Chev, Nov 28, 2006
    #20
  21. Chev

    Chev Private E-2

    Chaslang,

    looking thru my newest newfile.log it looks cleaner, well those files you suggested deleted are gone anyway.

    What are these, and do they need to go?

    Code:
    
File Name: "newfiles28Nov2006-2004hrs.txt"
                                                                              
Locating C:\WINDOWS\TEMP files created with in the last 90 days.                

"C:\WINDOWS\Temp\"
mpcmdrun.log  28 Nov 2006        4972  "MpCmdRun.log"
wgaerr~1.txt  28 Nov 2006         255  "WGAErrLog.txt"
wganot~1.set  28 Nov 2006         409  "WGANotify.settings"
[B][COLOR=red]xx62          28 Nov 2006           0  "xx62"
xx63          28 Nov 2006           0  "xx63"
xx64          28 Nov 2006           0  "xx64"
xx65          28 Nov 2006           0  "xx65"
xx66          28 Nov 2006           0  "xx66"[/COLOR][/B]

8 items found:  8 files, 0 directories.
   Total of file sizes:  5,636 bytes      5.50 K
     
    Chev, Nov 28, 2006
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You were not supposed to have to delete them manually. Running CCleaner should have removed them!

    It is more the strange filenames and the fact that they were new files that made them standout. The common file size just added to their questionable nature.


    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Nov 29, 2006
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are just temp files related to things you are running or from things Windows itself is doing. Anything in temp folders is normally deleteable!
     
    chaslang, Nov 29, 2006
    #23
  24. Chev

    Chev Private E-2

    Thanks again mate,

    Appreciate the help. Are you in the US or australia?

    Dan.
     
    Chev, Nov 30, 2006
    #24
  25. Chev

    Chev Private E-2

    Just wondering where to send the carton? (Beer).
     
    Chev, Nov 30, 2006
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    I'm right where my Location indicator specifies. Which is in the USA. ;)
     
    Last edited: Dec 1, 2006
    chaslang, Nov 30, 2006
    #26

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds