Default browser opening by itself (outgoing trafic)

Status
Not open for further replies.

Vintage

New Member
Nov 9, 2020
18
I'm Mike, hello to all users of this forum.

For a week I have been trying to deal with something strange that started happening on my computer.

Problem: Default web browser opens by itself while using another application.

The default browser always opens, no matter if firefox or IE is set - it opens in the default tab and nothing else happen, when using another program. (eg: I run a game and after a while the default browser itself starts, even if none of it is turned on earlier).

What I have done so far:
1.I scanned the computer with practically everything: mbytes, advcleaner, eset, tdskiller, etc. found nothing (Even while scanning in safe mode).
2. I formatted the computer several times - all disks, and made a clean fresh installation of windows 7 (install from microsoft recently obtained from the official technical support - .iso, bootable USB flash drive) the problem still appears.
3. Yesterday I reformatted the computer by resetting Bios / Cmos, and I took out and put in RAM, I did a clean installation again - I also changed the internet connection (I connected an older, not used for a year + router, I set up the connection to the internet, I updated windows via windows update - and the problem continued ...

Could it be that the virus (if it's a virus) is format-resistant?
Is it possible that a website saved my IP address and that's the problem

When I had the program: malware bytes installed - it blocked outgoing traffic from my browser several times (firefox was the default then)

-Webstie date-
Category: Trojan
Internet domain: fwcdn.pl
IP address: 193.200.227.41
Port: 443
Type: Outgoing
File: C: \ Program Files \ Mozilla Firefox \ firefox.exe

Once, by accident (missclick while looking for another page) I entered this page for a while: fwcdn.pl - there is 'supposed' nothing, but there is some mention of amazon in the source of the page. And it is possible that this is where these problems started ...

Im run out of options what to do - im desperate pls help :|
 

Attachments

  • fwcdn.png
    fwcdn.png
    192.3 KB · Views: 16
  • Addition.txt
    18.5 KB · Views: 10
  • FRST.txt
    112.4 KB · Views: 9

Vintage

New Member
Nov 9, 2020
18
Additional questions:
Is it possible that - if it is a virus - it survives disk formatting?
If so - is the viurs or some other crap able to survive in a different place than the computer's hard drive?
I am considering buying a new drive as this may solve the problem And installing a fresh system.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists in IE and you are using the Sync with other devices, disable the Sync.

close IE.

Restart the computer and re-sync you devices if you need them.
<<<>>>
 

Attachments

  • fixlist.txt
    298 bytes · Views: 8
  • Like
Reactions: rockstarrocks

Vintage

New Member
Nov 9, 2020
18
Edit: IE ( deafult brower) still opening itself
besides - netsh int ip reset - tcp register reset - system reinstall it has the same effect right? am I wrong?
// why i must w8 over 40 min to "This message is awaiting moderator approval, and is invisible to normal visitors." and so every my post - it paralyzes communication terribly.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hi,

Remove and re-install Firefox it may be compromised.

Navigate to this page.

Follow all the directives


You can then reinstall Firefox if you want it.

4. Reinstall Firefox

p.s.
This process will not remove your Firefox profile data (such as bookmarks and passwords), since that information is stored in a different location.
Follow the suggested directives.
<<<>>>

p.s.
To remove All of Firefox settings, cookies bookmarks.
Use this directives on this page.


<<<>>>

If the problem persists run this program.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller[/*]
  • Quit all programs that you may have started.[/*]
  • Please disconnect any USB or external drives from the computer before you run this scan![/*]
  • For Vista or above, right-click the program file and select "Run as Administrator"[/*]
  • Accept the user agreements.[/*]
  • Execute the scan and wait until it has finished.[/*]
  • If a Windows opens to explain what [PUM's] are, read about it.[/*]
  • Click the RoguKiller icon on your taksbar to return to the report.[/*]
  • Click open the Report[/*]
  • Click Export TXT button[/*]
  • Save the file as ReportRogue.txt[/*]
  • Click the Remove button to delete the items in RED[/*]
  • Click Finish and close the program.[/*]
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.[/*]
=======
 

Vintage

New Member
Nov 9, 2020
18
Done.

RogueKiller Anti-Malware V14.7.4.0 (x64) [Oct 22 2020] (Free) by Adlice Software
mail : Support Form | Contact • Adlice Software
Website : RogueKiller Anti Malware | Free Virus Cleaner Download • Adlice Software
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20201109_140442, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/11/10 18:53:52 (Duration : 00:02:14)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> XX - Software
[PUP.WiperSoft (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-2558440146-1469643183-2636109547-1000\Software\WiperSoft -- N/A -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤



I instaled vipersoft yesterday so it has nothing to do with this ~~ def browser opening problem
And aslo regardless firefox / its not matter what i using opera /firefox / ie / deafult browers opening randomly / sometimes even 2-4 times when im away from pc sometime instant after i started watchin some movie on my pc (in program - not in browser) or when i lunching game ( its only happens when desktop is not on firstground) if u know what im saying i can be on desktop and nothing happens - i lunchng game or anything - def browser opening... by itself (not always happening, or instant - but this is condition to trigger it- default browser opening.
 
Last edited:

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hi,

You should delete the entry found by running the RogueKiller program.

As for the popups, are you possibly dealing with that is know as Push Notifications?

Check this out and do what is required.

Restart the computer after the removal.

How is now?
 
  • Like
Reactions: rockstarrocks

Vintage

New Member
Nov 9, 2020
18
I Deleted it and like i said it has nothing to do with my problem - i just seen yesterday this wipesoft program suggested in another topic so i tried it but it like others one dont finded anything.
And this is no' popups - deafualt browser -no matter what; firefox opera ie opening itself when im doing anything on pc - but when im not on desktop - closed browser opening sometimes multiple times but always deafault one- this is not normal behavior of pc - even after fresh reinstall same thing happens - i seen many viruses and other $hit but never smth like this without no findable source ...

How fresh instaled win 7 can open by itself ie or any deafault browser - mayby if i repalce my hard drive the problem will disappear?
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hi,

Run these program and post the logs.

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer


  • Right-click on the MBAM icon and select Run as administrator to run the tool.[/*]
  • Click Yes to accept any security warnings that may appear.[/*]
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.[/*]
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.[/*]
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.[/*]
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button[/*]
  • Note: The scan may take some time to finish, so please be patient.[/*]
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.[/*]
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.[/*]
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.[/*]
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.
  • Close all open programs and internet browsers.[/*]
  • Double click on AdwCleaner.exe to run the tool.[/*]
  • Click the Scan button and wait for the process to complete.[/*]
  • Click the LogFile button and the report will open in Notepad.[/*]
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.[/*]
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.[/*]
  • Double click on AdwCleaner.exe to run the tool.[/*]
  • Click the Scan button and wait for the process to complete.[/*]
  • Check off the element(s) you wish to keep.[/*]
  • Click on the Clean button follow the prompts.[/*]
  • A log file will automatically open after the scan has finished.[/*]
  • Please post the content of that log file with your next answer.[/*]
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).[/*]
==

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller[/*]
  • Quit all programs that you may have started.[/*]
  • Please disconnect any USB or external drives from the computer before you run this scan![/*]
  • For Vista or above, right-click the program file and select "Run as Administrator"[/*]
  • Accept the user agreements.[/*]
  • Execute the scan and wait until it has finished.[/*]
  • If a Windows opens to explain what [PUM's] are, read about it.[/*]
  • Click the RoguKiller icon on your taksbar to return to the report.[/*]
  • Click open the Report[/*]
  • Click Export TXT button[/*]
  • Save the file as ReportRogue.txt[/*]
  • Click the Remove button to delete the items in RED[/*]
  • Click Finish and close the program.[/*]
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.[/*]
=======
 
  • Like
Reactions: venustus

Vintage

New Member
Nov 9, 2020
18
Done
 

Attachments

  • AdwCleaner[C00].txt
    1.6 KB · Views: 3
  • AdwCleaner[S00].txt
    1.4 KB · Views: 3
  • mbytes - threat scan report.txt
    1.2 KB · Views: 3
  • mbytes custom scan full.txt
    1.2 KB · Views: 3
  • ReportRogue.txt
    2.2 KB · Views: 3

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hi,

Noting found in the logs.
===

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
fwcdn.pl
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

Are you still receiving these popups?
 

Vintage

New Member
Nov 9, 2020
18
Farbar Recovery Scan Tool (x64) Version: 11-11-2020
Ran by Admin (12-11-2020 16:31:39)
Running from C:\Users\Vintage\Desktop
Boot Mode: Normal

================== Search Files: "fwcdn.pl" =============


====== End of Search ======

Farbar Recovery Scan Tool (x64) Version: 11-11-2020
Ran by Admin (12-11-2020 16:32:32)
Running from C:\Users\Vintage\Desktop
Boot Mode: Normal

================== Search Registry: "fwcdn.pl" ===========


====== End of Search ======


Yes. But its not a pop-ups / its a random deafault web browser opening - out of a blue.

when I do something other than being on the desktop of my computer - I will start a movie - I will max the screen - after some time - when I exit the full screen it just opens. Or when I'm afk and just go back to the computer and move the mouse, sometimes the browser opens (even 3-4 windows at a time!) Or when I play a game sometimes the browser opens not regularly.

And it's always the default one, no matter if it's IE or firefox ~~
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hi,

It may just be that your HOSTS file was compromised, or the Zonemap was changed.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.

Code:
start

CreateRestorePoint:
CloseProcesses:

Hosts:

StartRegedit:
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
EndRegedit:

Restart:

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===
 

Vintage

New Member
Nov 9, 2020
18
Done.

EDIT: in hosts'file: there is only this (after ur fix)
# 127.0.0.1 localhost

I dont checked it before, so i cant tell if it was corruped.
 

Attachments

  • Fixlog.txt
    1.8 KB · Views: 0

Vintage

New Member
Nov 9, 2020
18
Dunno, but it seems to be fixed? $hit havnt poped even once yesterday after this fix and for few hrs today. i'm gonna keep update.

Meanwhile, can u explain what this 'fix' do? it replaced 'hosts' file or fix it and several registry 'keys'... but is this 'hosts' and 'keys' are not deleted and cr8 new when im reinstaling whole system???

Is there way they geted corrupted right away - after reinstaling fresh win 7 ??? if so? how?! can we check smth else to be sure ??
Is there safe 'now' to reinstal win 7 again - to have clear win now and this $hit not gona back again??
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
446
Hi,
If you have reinstall the Windows then something must be compromised in your device you used.

Run the Farbar program and attach fresh FRST.TXT and Addition.txt logs for my review.
 

Vintage

New Member
Nov 9, 2020
18
I told u arldy several time dat i reinstaled win 7 (clear install - full format) and always this $hit come back -- here are additional logs
 

Attachments

  • Addition.txt
    20.5 KB · Views: 3
  • FRST.txt
    124 KB · Views: 2
  • Shortcut.txt
    27.4 KB · Views: 1
Status
Not open for further replies.
Top