Random web pages opening.

**Webshark2000** · November 15th, 2009, 09:27 AM

I randomly get redirected or have several websites open when I click on a link in both Internet Explorer and Firefox. If anyone can tell me what might be causing this, I'd really appreciate it.

Thanks.

**photolady** · November 15th, 2009, 11:34 AM

Hijackthis log need to be copied and pasted into the thread, not attached.

Also, you really should follow the advice given by the security experts instead of just posting a hijackthis log.

IMPORTANT NOTE! Because hijack this will list the names of various Malware on your PC, your antivirus may react to the names of said Malware and interpret it as a threat. This is a false positive, which can safely be disregarded. Nothing in this forum actually poses a threat to your computer.

All members wishing to post their HijackThis logs please observe the below rules and instructions before posting your HijackThis log.

If you desire to give assistance in the hijackthis forum, please PM one of our Moderators with some links of where you have previously/currently helped.
If you do not have permission from our staff to assist with hijackthis logs etc., please refrain from doing so until given the all clear.
Thank you for your co-operation.

Do NOT PM or Email logs!
When posting your log please explain in detail the problems you are experiencing with your computer. This will be a great help.
Resolved Hijackthis logs will be marked off as SOLVED and will be Locked. If the original poster of the log wishes to have their thread re-opened for some reason then please send a PM or email to one of the MODS. Include the link to the thread and details why you need it reopened.
Please do NOT post your HijackThis log as an attachment. They will be - regrettably - IGNORED. Our members don't need long files downloaded to their computers; and if your computer IS infected, we SURE aren't going to download your files!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do an online virus scan with at least two of the following programs, and post the results with your other logs when done:

Housecall at TrendMicro
http://housecall.trendmicro.com/hous...start_corp.asp
Make sure you tick Auto Clean

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options

Panda ActiveScan
http://www.pandasoftware.com/actives..._principal.htm
Make sure you tick Disinfect automatically under Scan Options

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

TrojanScan

(If any of the online scanners stall or refuse to run properly skip to the next
steps)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please update Windows:

Users need to make sure you are up to date with critical updates and service packs* from
Windows Update

XP users need to download Service Pack 1a, if you dont have it already.

An un-patched Windows operating system will get re-infected within minutes of connecting to the internet.

We require you to have critical updates installed before posting a log, otherwise we're both wasting our time.

*Note to XP users:Please do not download/upgrade to Service Pack 2 until you are malware free. SP2 installed on a infected computer can cause problems. Once you are clean go ahead and install.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner4.exe

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies can be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

4. Download, install, and run HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Above layout courtesy of Broni

**Webshark2000** · November 15th, 2009, 04:46 PM

Also, you really should follow the advice given by the security experts instead of just posting a hijackthis log.

Sorry, are you referring to the advice you have in your sig?

I've run AVG, Trendmicro's online scanner and also Antimaleware, Spybot and AdAware.

So far none of them have found anything, but they have also all failed to remove the problem.

**Train** · November 15th, 2009, 05:01 PM

Spybot and AdAware.
Antiques, So start with Print these instructions out. and DOWN.

Not being mean, just that super and mbam find thing that what you have miss.

**Webshark2000** · November 15th, 2009, 06:00 PM

I've run mbam already and didn't find anything. I'll run Superantispyware as soon as I get a chance. Running the Panda ActiveScan right now.

Thanks.

**photolady** · November 15th, 2009, 08:02 PM

I believe the experts want to see your logs from Malwarebytes and SuperAntimalware. If you'll post those they will be along to help you.

**Train** · November 15th, 2009, 08:03 PM

If they know what is removed, it helps them figure out what you have.

**Webshark2000** · November 19th, 2009, 11:43 PM

Hey guys,

Sorry I've been really busy this week. I was just able to run SuperAnitSpyware tonight. Here's the log I got from it:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/19/2009 at 09:42 PM

Application Version : 4.30.1004

Core Rules Database Version : 4294
Trace Rules Database Version: 2165

Scan type : Complete Scan
Total Scan Time : 03:16:28

Memory items scanned : 501
Memory threats detected : 5
Registry items scanned : 5630
Registry threats detected : 20
File items scanned : 283039
File threats detected : 25

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\DEVAWIJE.DLL
C:\WINDOWS\SYSTEM32\DEVAWIJE.DLL
C:\WINDOWS\SYSTEM32\POHOJUHI.DLL
C:\WINDOWS\SYSTEM32\POHOJUHI.DLL
C:\WINDOWS\SYSTEM32\NIWAMINU.DLL
C:\WINDOWS\SYSTEM32\VUBUSEZA.DLL

Adware.Vundo/Variant-Jinky
C:\WINDOWS\SYSTEM32\SIDUBAGE.DLL
C:\WINDOWS\SYSTEM32\SIDUBAGE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{4d3637a2-a747-4bba-b3d9-f0062c586fe5}
HKCR\CLSID\{4D3637A2-A747-4BBA-B3D9-F0062C586FE5}
HKCR\CLSID\{4d3637a2-a747-4bba-b3d9-f0062c586fe5}\InprocServer32
HKCR\CLSID\{4d3637a2-a747-4bba-b3d9-f0062c586fe5}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#mamiyuvob

Trojan.Agent/Gen-6TO4
C:\WINDOWS\SYSTEM32\6TO4V32.DLL
C:\WINDOWS\SYSTEM32\6TO4V32.DLL

Trojan.Dropper/Win-NV
C:\WINDOWS\SYSTEM32\TKJH.HUO
C:\WINDOWS\SYSTEM32\TKJH.HUO

Rogue.AntiVirusPlus
HKLM\Software\Classes\CLSID\{C2B5AAB8-2183-4be7-81A6-F11493C45872}
HKCR\CLSID\{C2B5AAB8-2183-4BE7-81A6-F11493C45872}
HKCR\CLSID\{C2B5AAB8-2183-4BE7-81A6-F11493C45872}
HKCR\CLSID\{C2B5AAB8-2183-4BE7-81A6-F11493C45872}\InProcServer32
HKCR\CLSID\{C2B5AAB8-2183-4BE7-81A6-F11493C45872}\InProcServer32#ThreadingModel
C:\DOCUMENTS AND SETTINGS\SHAUN\APPLICATION DATA\ANTIVIRUS PLUS\ANTIVIRUS PLUS.70367201.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2B5AAB8-2183-4be7-81A6-F11493C45872}
HKU\S-1-5-21-1292428093-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2B5AAB8-2183-4BE7-81A6-F11493C45872}
C:\Documents and Settings\All Users\Start Menu\Programs\ANTIVIRUS PLUS\AntiVirus Plus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\ANTIVIRUS PLUS\EULA.url
C:\Documents and Settings\All Users\Start Menu\Programs\ANTIVIRUS PLUS
C:\Documents and Settings\Shaun\Start Menu\Programs\ANTIVIRUS PLUS\AntiVirus Plus.lnk
C:\Documents and Settings\Shaun\Start Menu\Programs\ANTIVIRUS PLUS\EULA.url
C:\Documents and Settings\Shaun\Start Menu\Programs\ANTIVIRUS PLUS
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ANTIVIRUS PLUS.LNK
C:\Documents and Settings\Shaun\Desktop\ANTIVIRUS PLUS.LNK
C:\Documents and Settings\Shaun\Start Menu\Programs\Startup\ANTIVIRUS PLUS.LNK

Rootkit.Agent/Gen-DiskFake
HKLM\System\ControlSet001\Services\daqdrv
C:\WINDOWS\SYSTEM32\DAQDRV.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_daqdrv
HKLM\System\ControlSet002\Services\daqdrv
HKLM\System\ControlSet002\Enum\Root\LEGACY_daqdrv
HKLM\System\CurrentControlSet\Services\daqdrv
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_daqdrv

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

Trojan.Agent/Gen
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec

Rogue.WindowsEnterpriseDefender
C:\DOCUMENTS AND SETTINGS\ALL USERS\E2E279A\WSE2E2.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C1MVWDU3\XP_48FE1[1].EXE

Trojan.Agent/Gen-FakeAlert
C:\WINDOWS\TEMP\101.TMP

**Broni** · November 20th, 2009, 12:36 AM

Keep going....

**Webshark2000** · November 20th, 2009, 10:14 AM

I will. I let mbam run overnight and didn't have a chance to post its log before leaving for work. I'll post it when I get home tonight.

Thanks.

**Webshark2000** · November 20th, 2009, 12:48 PM

Malwarebytes' Anti-Malware 1.41
Database version: 3201
Windows 5.1.2600 Service Pack 3

11/20/2009 11:43:09 AM
mbam-log-2009-11-20 (11-43-09).txt

Scan type: Full Scan (C:\|D:\|T:\|)
Objects scanned: 435096
Time elapsed: 1 hour(s), 22 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lewisojob (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus (Rogue.Antivirus Plus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Plus (Rogue.Antivirus Plus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tkjh.huo sqmtm) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (c:\windows\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\WSDDSys (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shark\Application Data\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\moypl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033788.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033793.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033814.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033809.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033810.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033811.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033812.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033815.dll (Trojan.Inject) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033817.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033820.exe (Rogue.WindowsEnterpriseDefender) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0033821.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0034821.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B265EB0E-15CE-4CDB-8119-870CEAFA077A}\RP343\A0034822.dll (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\12E.tmp (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\132.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gozewemo.exe (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\41Q3GXMB\wpmzmjnky[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KT6VK5A7\bfpmmna[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KT6VK5A7\jpyzwjxbx[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KT6VK5A7\qwtuuhv[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WSDDSys\wsd.cfg (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Shark\Application Data\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

**Webshark2000** · November 20th, 2009, 02:01 PM

I was just home on my lunch break. I'll post the rest after work.

Thanks again.

**Webshark2000** · November 20th, 2009, 08:30 PM

I didn't select the "Show all" checkbox with gmer (it was actually greyed out), but the log is still pretty large. Should I go ahead and post the whole thing?

**Broni** · November 20th, 2009, 10:05 PM

If it's very big, attach it.

**Webshark2000** · November 20th, 2009, 10:13 PM

Here you go.

Thread: Random web pages opening.

Thread Tools

Search Thread

Display

Random web pages opening.

SuperAntiSpyware Log

MBAM Log

Gmer log

Thread Information

Users Browsing this Thread

Posting Permissions