Dummy webpage malware?

One of our client's PCs last week was infected with malware, pop-up windows. Threw everything at it (they have Sophos installed) Malwarebytes, Ccleaner, MS Safet Live. Thiese all did a good job, but then Sophos reported a possible rootkit, so I ran Kaspersky rootkit killer and this found and removed it.

All seemed fine. Our client now reports every so often when on the Web (using IE) web pages coming up with adverts. I've logged inot them remotely and seen it. In effect it's a dummy webpage with an advert. See attached screen snap.  Not how it even mimicks the Google logo in the search entry field top right!

Today I ran malwarebytes which found some things, then CCleaner, also rootkit thing from Kasperksy (clean) finally I installed MS Security Essentials (clean).

This web page and variants still coming up. It can be closed with no problems but will appear again after 5 minutes or so.

Has anyone see this before? Any ideas how to remove it?

They're running Windows Vista on a Server 2008 R2 network, nothing reported on any other PCs on the network
(BTW the Anti-Spam Email Software zone is a mistake on my part! I meant anti-virus, I think. Can't workout how to change zone)

Dummy web page (malware?)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not seen this particular issue before, but in my experience, there many times comes a time when the greater good is served by just wiping and reloading. Yes, it's a pain, but how much time and effort have you thrown at this already and your still messing with it.  About the only thing you haven't tried is Combofix... so that may be worth a shot.

One other thing that I've seen on occasion help is to save off the user's files and then log in as someone else. If the new user has no issues, then delete the old user's profile and have them log in to create a new one and then copy back the files you saved off earlier.

Still a wipe and reload will get rid of the problem.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
i think that this is what you are looking for  found @ http://www.threatexpert.com/report.aspx?md5=150f050f63ea8dc1d8684057f2d8f3e0

hope that helps
gerlisAuthor Commented:
Thanks. Wipe and reload is a big time-consuming issue and our client has to pay for our time. So far it hasn't taken up much of my time, so I am prepared to continue trying things.

I will try combofix later

(Last week another of oour clients did have a malware and in the end I had to re-install, so, I do know what it's like to have to give in!)
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

gerlisAuthor Commented:
How do I change the zone for this?

gerlisAuthor Commented:
stergium: Thanks for this. Though thiss link refers to "injecting" data into legitimate banks sites or keylogging, whereas my exampl is coming up with a dumy webpage, albeit with input fields

If this is the cause, (seems similar effect), there is no indication shown on the link you gave about removing it?
Hi gerlis

root kits are notoriously hard to eliminate, you have to find the exact one and then the exact solution. You are gambling by leaving it on the network. I would suggest low level formating and reloading. if you do not want to do that check on the server any files that might be saved there (profile etc), because if you are sure that you have eliminate it from the local pc and then shows up again that means that
a) the user went again to the same site that picked up first time around
b) some files (backup, restore points, etc) are infected and it keeps downloading it again

gerlisAuthor Commented:

I accept your point. You may be right and we might have to "bite the bullet" and re-install. I've been checking server (they have re-directed folders onto the server), too.

Can;t do any nmore 'til later when client has gone home, but will see if anyone on E-E has a "magic bullet" (lots of "bullet" metaphoirs today!)


gerlis we all have been there, what can i say best of luck remember low level formatting and make sure that no files on the server are corrupt. I have been using Advanced system care which is for free. it is not something spectacular but it works okay for me. Try hijackthis as well, get your results and post them on their forum, they are very helpful, try spybot search and destroy and adware all are for free, check it with eset online virus scan if you have time too.

if you go down the new install route make sure that user has additional protection like spybot running at the background or any other program you are comfortable with
If you can. Do a test for me and open up regedit and go to this registery key and change the value manually for your search bar.

Go to this key and find the search bar value double click it and manually type in a website of your choice and reboot the system. Also do the something for search page and default. Tell me if the search engine values change after a reboot.
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Main

Open in new window

gerlisAuthor Commented:
Well, on Monday evening I decided to try Combofix and... it worked!

The dummy web page no longer comes up. I re-ran all the other scans to make sure nothing lurking and all seems fine.

Combofix did, however turn on Windows firewall so it dropped my remote desktop connection to the client's PC, so at the time I didn;t know what had happened! Next day I went in there in readiness to re-install Windows, but all was working fine (put the RDP port as an exception in the firewall too)

Thanks jhyiesla  points go to you

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.