Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Web Tabs Open In Browser, Redirecting


  • Please log in to reply
1 reply to this topic

#1 SeaSpur

SeaSpur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 23 July 2010 - 05:23 PM

Hello all, hopefully I can find some help here with what seems to be an issue not isolated to myself. I've read over the forum rules and guidelines, so hopefully I can provide useful information to help get this problem solved.

Basically, my browser will open random tabs and go to random web sites. Also, after doing a Google search and clicking a link...it will often redirect me to some random site instead. I have noticed this is only when I click a link, because typing a URL in never fails me or gets the redirection. Browser is running pretty slow as well...whole computer seems to be running a lot slower with processes eating a lot more resources than usual.

I also get notices from Norton every so often that an attack from a particular IP address was performed on my PC...many times it is the same IP address with the last digits a couple off (I traced one to Norway online).

I'd call myself a power user when it comes to PC knowledge (ironically my degree is in MIS but I went into sales, ha) and I've tried many things to fix it...to no avail.

OS: Windows XP SP2
VP: Norton Security Suite 4 (was AVG until I felt it may not be secure enough)

Have tried:
HijackThis (use this often to make sure all is okay)
Malwarebytes (used once)
Ad-Aware
Basic Norton Scans

DDS Log:


QUOTE
QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by Kennedy at 16:59:03.12 on Fri 07/23/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.31 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Kennedy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kennedy\applic~1\mozilla\firefox\profiles\4evf9vml.default\
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-21 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-7-21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-7-21 173104]
R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [2010-2-23 20352]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-9 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-7-21 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-7-21 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-21 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100721.003\IDSXpx86.sys [2010-7-23 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100723.002\NAVENG.SYS [2010-7-23 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100723.002\NAVEX15.SYS [2010-7-23 1362608]
R3 WlanUIG;NB 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [2010-1-7 379456]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-2-23 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-2-23 25704]

=============== Created Last 30 ================

2010-07-22 06:27:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-22 00:51:58 0 d-----w- c:\docume~1\kennedy\applic~1\Malwarebytes
2010-07-22 00:51:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 00:51:10 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-07-22 00:51:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-21 22:25:16 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-21 22:24:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-21 21:53:40 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-21 21:20:18 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-21 21:20:18 0 d-----w- c:\documents and settings\kennedy\log
2010-07-21 21:01:52 27744 ----a-w- c:\windows\system32\drivers\point32.sys
2010-07-21 21:00:40 0 d-----w- c:\program files\Microsoft IntelliPoint
2010-07-21 20:57:38 0 d-----w- c:\program files\MSXML 6.0
2010-07-21 20:56:47 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-21 20:56:47 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-07-21 20:56:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-21 20:56:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-21 20:56:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-07-21 20:56:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-21 20:56:35 0 d-----w- c:\program files\Symantec
2010-07-21 20:56:35 0 d-----w- c:\program files\common files\Symantec Shared
2010-07-21 20:54:39 0 d-----w- c:\windows\system32\drivers\N360
2010-07-21 20:54:26 0 d-----w- c:\program files\Norton Security Suite
2010-07-21 11:50:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-21 10:31:39 0 d-----w- c:\docume~1\kennedy\applic~1\Tific
2010-07-21 03:04:42 0 d-sha-r- C:\cmdcons
2010-07-21 02:59:51 98816 ----a-w- c:\windows\sed.exe
2010-07-21 02:59:51 77312 ----a-w- c:\windows\MBR.exe
2010-07-21 02:59:51 256512 ----a-w- c:\windows\PEV.exe
2010-07-21 02:59:51 161792 ----a-w- c:\windows\SWREG.exe
2010-07-21 00:41:19 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-07-21 00:41:19 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-07-21 00:41:19 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-07-21 00:41:19 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-07-21 00:41:18 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-07-20 21:14:51 0 d-----w- c:\program files\NortonInstaller
2010-07-20 21:14:51 0 d-----w- c:\docume~1\alluse~1.win\applic~1\NortonInstaller
2010-07-20 20:51:57 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Norton
2010-07-20 01:59:08 150 ----a-w- C:\zrpt.xml
2010-07-20 01:58:20 0 d-----w- c:\docume~1\kennedy\applic~1\5D11E502B5989CC130C5F1F689536168

==================== Find3M ====================

2006-03-31 19:25:55 9728 -csha-w- c:\program files\common files\Thumbs.db
2006-01-16 23:54:29 9728 --sha-w- c:\program files\Thumbs.db
2005-01-15 01:37:13 280 -c--a-w- c:\program files\WS_FTP.LOG
2002-09-07 15:57:34 5511 -c--a-w- c:\program files\settings.dat
2002-09-07 15:57:16 75996 -c--a-w- c:\program files\library.dat
2002-08-07 22:23:13 8155 -c--a-w- c:\program files\colors.dat

============= FINISH: 17:01:38.87 ===============



Thanks for any and all help.

Edited by SeaSpur, 23 July 2010 - 05:28 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:32 PM

Posted 31 July 2010 - 09:28 AM

Hello SeaSpur

Welcome to BleepingComputer smile.gif

I see that you have run Combofix on this machine already this is not advised without proper supervision or recommendation from a trained helper.
Please post the log if you still have it located here > C:\Combofix.txt
================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.
==========
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users