Link to home
Create AccountLog in
Avatar of gerlis
gerlis

asked on

Dummy webpage malware?

One of our client's PCs last week was infected with malware, pop-up windows. Threw everything at it (they have Sophos installed) Malwarebytes, Ccleaner, MS Safet Live. Thiese all did a good job, but then Sophos reported a possible rootkit, so I ran Kaspersky rootkit killer and this found and removed it.

All seemed fine. Our client now reports every so often when on the Web (using IE) web pages coming up with adverts. I've logged inot them remotely and seen it. In effect it's a dummy webpage with an advert. See attached screen snap.  Not how it even mimicks the Google logo in the search entry field top right!

Today I ran malwarebytes which found some things, then CCleaner, also rootkit thing from Kasperksy (clean) finally I installed MS Security Essentials (clean).

This web page and variants still coming up. It can be closed with no problems but will appear again after 5 minutes or so.

Has anyone see this before? Any ideas how to remove it?

They're running Windows Vista on a Server 2008 R2 network, nothing reported on any other PCs on the network
(BTW the Anti-Spam Email Software zone is a mistake on my part! I meant anti-virus, I think. Can't workout how to change zone)

User generated image
ASKER CERTIFIED SOLUTION
Avatar of jhyiesla
jhyiesla
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
i think that this is what you are looking for  found @ http://www.threatexpert.com/report.aspx?md5=150f050f63ea8dc1d8684057f2d8f3e0

hope that helps
Avatar of gerlis
gerlis

ASKER

Thanks. Wipe and reload is a big time-consuming issue and our client has to pay for our time. So far it hasn't taken up much of my time, so I am prepared to continue trying things.

I will try combofix later

(Last week another of oour clients did have a malware and in the end I had to re-install, so, I do know what it's like to have to give in!)
Avatar of gerlis

ASKER

How do I change the zone for this?

Avatar of gerlis

ASKER

stergium: Thanks for this. Though thiss link refers to "injecting" data into legitimate banks sites or keylogging, whereas my exampl is coming up with a dumy webpage, albeit with input fields

If this is the cause, (seems similar effect), there is no indication shown on the link you gave about removing it?
Hi gerlis

root kits are notoriously hard to eliminate, you have to find the exact one and then the exact solution. You are gambling by leaving it on the network. I would suggest low level formating and reloading. if you do not want to do that check on the server any files that might be saved there (profile etc), because if you are sure that you have eliminate it from the local pc and then shows up again that means that
a) the user went again to the same site that picked up first time around
b) some files (backup, restore points, etc) are infected and it keeps downloading it again

Avatar of gerlis

ASKER

xmlmagician:

I accept your point. You may be right and we might have to "bite the bullet" and re-install. I've been checking server (they have re-directed folders onto the server), too.

Can;t do any nmore 'til later when client has gone home, but will see if anyone on E-E has a "magic bullet" (lots of "bullet" metaphoirs today!)

Thanks



gerlis we all have been there, what can i say best of luck remember low level formatting and make sure that no files on the server are corrupt. I have been using Advanced system care which is for free. it is not something spectacular but it works okay for me. Try hijackthis as well, get your results and post them on their forum, they are very helpful, try spybot search and destroy and adware all are for free, check it with eset online virus scan if you have time too.

if you go down the new install route make sure that user has additional protection like spybot running at the background or any other program you are comfortable with
If you can. Do a test for me and open up regedit and go to this registery key and change the value manually for your search bar.

Go to this key and find the search bar value double click it and manually type in a website of your choice and reboot the system. Also do the something for search page and default. Tell me if the search engine values change after a reboot.
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Main

Open in new window

Avatar of gerlis

ASKER

Well, on Monday evening I decided to try Combofix and... it worked!

The dummy web page no longer comes up. I re-ran all the other scans to make sure nothing lurking and all seems fine.

Combofix did, however turn on Windows firewall so it dropped my remote desktop connection to the client's PC, so at the time I didn;t know what had happened! Next day I went in there in readiness to re-install Windows, but all was working fine (put the RDP port as an exception in the firewall too)

Thanks jhyiesla  points go to you