Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websitesurvey Pop Up


  • This topic is locked This topic is locked
23 replies to this topic

#1 dwj1970

dwj1970

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 10:54 AM

When I use internet explorer and type a new address in the address bar to navigate to a new page, Another explorer window pops up frequently saying that I have been selected to participate in a survey and receive a prize. the website that pops up is www.websitesurvey.com

When I run a search on google or yahoo and attempt to click on a search result I get redirected to another site.

I ran malwarebytes, SuperAntiSpyware, and Spybot Search and Destroy yesterday when the problem began, and after removing anything that they found, the problem still persists.

Any help on next steps would be greatly appreciated,

Dennis

BC AdBot (Login to Remove)

 


#2 Wikinger

Wikinger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 20 December 2009 - 03:06 PM

Hi Dennis, as long as the machine is clean have you tried to reset your Internet Explorer settings? If you go to tools / Internet Options, there will be a tab at the end named "Advanced". From there you will see near the bottom something named "Reset Internet Explorer settings" If you decide to reset the settings it will be like when IE was first installed. Any toolbars, your homepage, passwords you have saved for sites etc will be erased so you will need to re-set things up as you like. Your favorites will be untouched so no need to worry about losing them.

Hopefully once you reset IE the pops up will dissapear (as long as mentioned above the machine is clean) because it purges all temp files, addons and so forth where rogue redirects like to hang out.

Good luck and let me know how it goes :thumbsup:

#3 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 04:45 PM

Unfortunatly, that did not stop the problem.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 20 December 2009 - 06:33 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.


Please post your latest Malwarebytes log. It can be found under the "Logs" tab of the program.
Computer Pro

#5 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 06:49 PM

Thanks for your assistance. I am posting two Malwarebytes logs, the First is the scan when I noticed the problem, the second (which you may not need) is after I rebooted and ran it again after noticing that the problem still existed:


First Log:


Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/19/2009 11:25:56 AM
mbam-log-2009-12-19 (11-25-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 182759
Time elapsed: 1 hour(s), 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zutovogi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Trojan.Downloader) -> Delete on reboot.



Second Log:



Malwarebytes' Anti-Malware 1.42
Database version: 3395
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/19/2009 8:53:40 PM
mbam-log-2009-12-19 (20-53-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 184816
Time elapsed: 1 hour(s), 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)





Again, thank you for any assistance. I am changing my controls so that I receive email updates and will follow whatever actions you recommend.

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 20 December 2009 - 06:50 PM

Ok, lets run Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#7 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 11:18 PM

I ran Dr. Web, At the end of the initial scan, I got a message that said HOSTS files have been modified, do you want to return the HOSTS files to their original forms, I said yes to return the HOSTS files to their original forms. I then ran the complete scan, the log is below.

Log:

Process in memory: C:\WINDOWS\system32\svchost.exe:948;;BackDoor.Tdss.565;Eradicated.;
aoltsmon.dll;c:\program files\common files\aol\topspeed\2.0;Probably DLOADER.Trojan;Incurable.Moved.;
RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
501-nina_simone-obeah_woman_(dj_logic_remix).mp3;C:\Documents and Settings\Owner\Shared;Trojan.WMALoader;Cured.;
keep it in closet micheal.snd;C:\Documents and Settings\Owner\Shared;Trojan.WMALoader;Cured.;
micheal jackson (from new album).mp3;C:\Documents and Settings\Owner\Shared;Trojan.WMALoader;Cured.;
nina simone (rare studio version).au;C:\Documents and Settings\Owner\Shared;Trojan.WMALoader;Cured.;
Nina Simone - To love Somebody.mp3;C:\Documents and Settings\Owner\Shared;Trojan.WMALoader;Cured.;
Talking Heads - Burning down the house (Live).mp3;C:\Documents and Settings\Owner\Shared;Trojan.WMALoader;Cured.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
A0138476.reg;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1294;Trojan.StartPage.1505;Deleted.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App03130\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;D:\i386\Apps\App03130\comps\coach;Archive contains infected objects;Moved.;
autorun.exe;K:\;Win32.HLLW.Autoruner.7598;Deleted.;



Both scans found a total of 13 problematic files. I have not opened another internet explorer to see if the problem still exists, and will not do so until you let me know I should.

(On a side note, I have AVG free version, SpyBot-S&D, Malwarebytes, and SuperAntiSpyware, is Dr Web something I should keep and run once a week to keep my computer as close to virus free as possible?)

Please let me know if further action is necessary, or if I should open an Explorer window and see if the problem persists.


Thank you agan for taking the time to help.

Dennis

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 20 December 2009 - 11:20 PM

Everytime you would run Dr. Web, you would have to download the new version from the site. Go ahead and try to open up IE and see what happens.
Computer Pro

#9 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 11:21 PM

Just a question, it also appeared that no action was taken on one of the problems found. The results and the log state

"aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App03130\comps\coach\aolcinst.exe;Adware.Gdown;;"

where all the other problematic files were either eradicated, removed, deleted or isolated. Is this going to be a problem?

#10 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 11:26 PM

I just opened an internet explorer, my homepage is google. I typed in a random phrase "pineapple power" to do a search, when i clicked on the first result, I was taken to the correct web page, however a second internet explorer window opened with the websitesurvey.com pop up still coming up. So the problem still exists. I did not go further and click other links to see if I was redirected to random websites.

#11 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:11:08 AM

Posted 20 December 2009 - 11:32 PM

Recomendation

download HostXpert and click restore hosts file
Microsoft Certified Desktop Support Technician

#12 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 December 2009 - 11:36 PM

Computer Pro,

until I hear from you about the last response, i will not follow those directions. Please let me know if that is the step you want me to take.

Thanks,

Dennis

#13 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:11:08 AM

Posted 20 December 2009 - 11:43 PM

Second Suggestion Reffer to higher tech for rootkit scan
Microsoft Certified Desktop Support Technician

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 AM

Posted 21 December 2009 - 11:33 AM

Second Suggestion Reffer to higher tech for rootkit scan


:thumbsup: First there is absolutely no reason to refer the original poster to a higher tech to run a Rootkit scan.

:step2:I'm going to hold that scan also. Let's run an ESET scan.

Please follow the instructions here for running the ESET online scanner:

Please perform a scan with ESET Online Scanner
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use

Now click Start.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
Answer Yes to install and download the ActiveX controls that allows the scan to run.

Click Start. (the Onlinescanner will now prepare itself for running on your pc)

To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan to start the online scan. (this could take some time to complete)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.

Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt

The scan results will open in Notepad.

Copy and paste the log results in your next reply.

Edited by Computer Pro, 21 December 2009 - 11:34 AM.

Computer Pro

#15 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 December 2009 - 06:28 PM

Sorry it took so long to reply. When I woke up this morning, my Magic Jack phone has stopped working and had to close. I shut off the computer. When i got home from work and turned it on, I had a fake virus removal program attempting to run, so before following you suggestions I ran Malwarebytes to clean up the fake security alerts. I assume this redirecting virus was also responsible for the fake security alerts.

I ran ESET like as you said the log is below:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dfab5fddbdc3e944adc950f05867569e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-12-21 11:20:09
# local_time=2009-12-21 05:20:09 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 50251741 50251741 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=69486
# found=3
# cleaned=3
# scan_time=3452
C:\Documents and Settings\Owner\Shared\501-nina_simone-obeah_woman_(dj_logic_remix).mp3 probably a variant of Win32/TrojanDropper.Agent trojan (cleaned by deleting - quarantined) 7CF5E7480E22869E6BB9183412116D2C C
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined) 6C9C79FB7714ABE38FA2CE8D593DBA96 C
C:\WINDOWS\system32\AdfOonnn.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) ED4021766BBD57F18463963C5066EB40 C






I opened an internet explorer window and did a search, a second window still pops up with the Websitesurvey.com or another random website.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users