gerlis
asked on
Dummy webpage malware?
One of our client's PCs last week was infected with malware, pop-up windows. Threw everything at it (they have Sophos installed) Malwarebytes, Ccleaner, MS Safet Live. Thiese all did a good job, but then Sophos reported a possible rootkit, so I ran Kaspersky rootkit killer and this found and removed it.
All seemed fine. Our client now reports every so often when on the Web (using IE) web pages coming up with adverts. I've logged inot them remotely and seen it. In effect it's a dummy webpage with an advert. See attached screen snap. Not how it even mimicks the Google logo in the search entry field top right!
Today I ran malwarebytes which found some things, then CCleaner, also rootkit thing from Kasperksy (clean) finally I installed MS Security Essentials (clean).
This web page and variants still coming up. It can be closed with no problems but will appear again after 5 minutes or so.
Has anyone see this before? Any ideas how to remove it?
They're running Windows Vista on a Server 2008 R2 network, nothing reported on any other PCs on the network
(BTW the Anti-Spam Email Software zone is a mistake on my part! I meant anti-virus, I think. Can't workout how to change zone)
All seemed fine. Our client now reports every so often when on the Web (using IE) web pages coming up with adverts. I've logged inot them remotely and seen it. In effect it's a dummy webpage with an advert. See attached screen snap. Not how it even mimicks the Google logo in the search entry field top right!
Today I ran malwarebytes which found some things, then CCleaner, also rootkit thing from Kasperksy (clean) finally I installed MS Security Essentials (clean).
This web page and variants still coming up. It can be closed with no problems but will appear again after 5 minutes or so.
Has anyone see this before? Any ideas how to remove it?
They're running Windows Vista on a Server 2008 R2 network, nothing reported on any other PCs on the network
(BTW the Anti-Spam Email Software zone is a mistake on my part! I meant anti-virus, I think. Can't workout how to change zone)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Wipe and reload is a big time-consuming issue and our client has to pay for our time. So far it hasn't taken up much of my time, so I am prepared to continue trying things.
I will try combofix later
(Last week another of oour clients did have a malware and in the end I had to re-install, so, I do know what it's like to have to give in!)
I will try combofix later
(Last week another of oour clients did have a malware and in the end I had to re-install, so, I do know what it's like to have to give in!)
ASKER
How do I change the zone for this?
ASKER
stergium: Thanks for this. Though thiss link refers to "injecting" data into legitimate banks sites or keylogging, whereas my exampl is coming up with a dumy webpage, albeit with input fields
If this is the cause, (seems similar effect), there is no indication shown on the link you gave about removing it?
If this is the cause, (seems similar effect), there is no indication shown on the link you gave about removing it?
Hi gerlis
root kits are notoriously hard to eliminate, you have to find the exact one and then the exact solution. You are gambling by leaving it on the network. I would suggest low level formating and reloading. if you do not want to do that check on the server any files that might be saved there (profile etc), because if you are sure that you have eliminate it from the local pc and then shows up again that means that
a) the user went again to the same site that picked up first time around
b) some files (backup, restore points, etc) are infected and it keeps downloading it again
root kits are notoriously hard to eliminate, you have to find the exact one and then the exact solution. You are gambling by leaving it on the network. I would suggest low level formating and reloading. if you do not want to do that check on the server any files that might be saved there (profile etc), because if you are sure that you have eliminate it from the local pc and then shows up again that means that
a) the user went again to the same site that picked up first time around
b) some files (backup, restore points, etc) are infected and it keeps downloading it again
ASKER
xmlmagician:
I accept your point. You may be right and we might have to "bite the bullet" and re-install. I've been checking server (they have re-directed folders onto the server), too.
Can;t do any nmore 'til later when client has gone home, but will see if anyone on E-E has a "magic bullet" (lots of "bullet" metaphoirs today!)
Thanks
I accept your point. You may be right and we might have to "bite the bullet" and re-install. I've been checking server (they have re-directed folders onto the server), too.
Can;t do any nmore 'til later when client has gone home, but will see if anyone on E-E has a "magic bullet" (lots of "bullet" metaphoirs today!)
Thanks
gerlis we all have been there, what can i say best of luck remember low level formatting and make sure that no files on the server are corrupt. I have been using Advanced system care which is for free. it is not something spectacular but it works okay for me. Try hijackthis as well, get your results and post them on their forum, they are very helpful, try spybot search and destroy and adware all are for free, check it with eset online virus scan if you have time too.
if you go down the new install route make sure that user has additional protection like spybot running at the background or any other program you are comfortable with
if you go down the new install route make sure that user has additional protection like spybot running at the background or any other program you are comfortable with
If you can. Do a test for me and open up regedit and go to this registery key and change the value manually for your search bar.
Go to this key and find the search bar value double click it and manually type in a website of your choice and reboot the system. Also do the something for search page and default. Tell me if the search engine values change after a reboot.
Go to this key and find the search bar value double click it and manually type in a website of your choice and reboot the system. Also do the something for search page and default. Tell me if the search engine values change after a reboot.
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/MainASKER
Well, on Monday evening I decided to try Combofix and... it worked!
The dummy web page no longer comes up. I re-ran all the other scans to make sure nothing lurking and all seems fine.
Combofix did, however turn on Windows firewall so it dropped my remote desktop connection to the client's PC, so at the time I didn;t know what had happened! Next day I went in there in readiness to re-install Windows, but all was working fine (put the RDP port as an exception in the firewall too)
Thanks jhyiesla points go to you
The dummy web page no longer comes up. I re-ran all the other scans to make sure nothing lurking and all seems fine.
Combofix did, however turn on Windows firewall so it dropped my remote desktop connection to the client's PC, so at the time I didn;t know what had happened! Next day I went in there in readiness to re-install Windows, but all was working fine (put the RDP port as an exception in the firewall too)
Thanks jhyiesla points go to you
hope that helps