Dummy webpage malware?

One of our client's PCs last week was infected with malware, pop-up windows. Threw everything at it (they have Sophos installed) Malwarebytes, Ccleaner, MS Safet Live. Thiese all did a good job, but then Sophos reported a possible rootkit, so I ran Kaspersky rootkit killer and this found and removed it.

All seemed fine. Our client now reports every so often when on the Web (using IE) web pages coming up with adverts. I've logged inot them remotely and seen it. In effect it's a dummy webpage with an advert. See attached screen snap.  Not how it even mimicks the Google logo in the search entry field top right!

Today I ran malwarebytes which found some things, then CCleaner, also rootkit thing from Kasperksy (clean) finally I installed MS Security Essentials (clean).

This web page and variants still coming up. It can be closed with no problems but will appear again after 5 minutes or so.

Has anyone see this before? Any ideas how to remove it?

They're running Windows Vista on a Server 2008 R2 network, nothing reported on any other PCs on the network
(BTW the Anti-Spam Email Software zone is a mistake on my part! I meant anti-virus, I think. Can't workout how to change zone)

Dummy web page (malware?)
LVL 1
gerlisAsked:
Who is Participating?
 
jhyieslaConnect With a Mentor Commented:
Not seen this particular issue before, but in my experience, there many times comes a time when the greater good is served by just wiping and reloading. Yes, it's a pain, but how much time and effort have you thrown at this already and your still messing with it.  About the only thing you haven't tried is Combofix... so that may be worth a shot.

One other thing that I've seen on occasion help is to save off the user's files and then log in as someone else. If the new user has no issues, then delete the old user's profile and have them log in to create a new one and then copy back the files you saved off earlier.

Still a wipe and reload will get rid of the problem.
0
 
stergiumCommented:
i think that this is what you are looking for  found @ http://www.threatexpert.com/report.aspx?md5=150f050f63ea8dc1d8684057f2d8f3e0

hope that helps
0
 
gerlisAuthor Commented:
Thanks. Wipe and reload is a big time-consuming issue and our client has to pay for our time. So far it hasn't taken up much of my time, so I am prepared to continue trying things.

I will try combofix later

(Last week another of oour clients did have a malware and in the end I had to re-install, so, I do know what it's like to have to give in!)
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
gerlisAuthor Commented:
How do I change the zone for this?

0
 
gerlisAuthor Commented:
stergium: Thanks for this. Though thiss link refers to "injecting" data into legitimate banks sites or keylogging, whereas my exampl is coming up with a dumy webpage, albeit with input fields

If this is the cause, (seems similar effect), there is no indication shown on the link you gave about removing it?
0
 
xmlmagicianCommented:
Hi gerlis

root kits are notoriously hard to eliminate, you have to find the exact one and then the exact solution. You are gambling by leaving it on the network. I would suggest low level formating and reloading. if you do not want to do that check on the server any files that might be saved there (profile etc), because if you are sure that you have eliminate it from the local pc and then shows up again that means that
a) the user went again to the same site that picked up first time around
b) some files (backup, restore points, etc) are infected and it keeps downloading it again

0
 
gerlisAuthor Commented:
xmlmagician:

I accept your point. You may be right and we might have to "bite the bullet" and re-install. I've been checking server (they have re-directed folders onto the server), too.

Can;t do any nmore 'til later when client has gone home, but will see if anyone on E-E has a "magic bullet" (lots of "bullet" metaphoirs today!)

Thanks



0
 
xmlmagicianCommented:
gerlis we all have been there, what can i say best of luck remember low level formatting and make sure that no files on the server are corrupt. I have been using Advanced system care which is for free. it is not something spectacular but it works okay for me. Try hijackthis as well, get your results and post them on their forum, they are very helpful, try spybot search and destroy and adware all are for free, check it with eset online virus scan if you have time too.

if you go down the new install route make sure that user has additional protection like spybot running at the background or any other program you are comfortable with
0
 
Russell_VenableCommented:
If you can. Do a test for me and open up regedit and go to this registery key and change the value manually for your search bar.

Go to this key and find the search bar value double click it and manually type in a website of your choice and reboot the system. Also do the something for search page and default. Tell me if the search engine values change after a reboot.
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Main

Open in new window

0
 
gerlisAuthor Commented:
Well, on Monday evening I decided to try Combofix and... it worked!

The dummy web page no longer comes up. I re-ran all the other scans to make sure nothing lurking and all seems fine.

Combofix did, however turn on Windows firewall so it dropped my remote desktop connection to the client's PC, so at the time I didn;t know what had happened! Next day I went in there in readiness to re-install Windows, but all was working fine (put the RDP port as an exception in the firewall too)

Thanks jhyiesla  points go to you



0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.