Link to home
Start Free TrialLog in
Avatar of lyonski
lyonski

asked on

Virus or trojan, Internet Explorer accessing restricted and porn web sites

From the igoogle.com home page, we started having an issue with pornographic web sites coming up randomly, and then many instances of Internet Explorer opening up - like 30.  Suspecting a virus, I ran Trend Micro virus scan.  It found TROJ_FAKEAV.BVU and quarantined  it.  It appeared the issue was fixed.  But then I signed in to my daughter's google account and it quickly opened her google page, but then jumped to a pornographic site.  My Trend Micro gave an error message saying: "Unauthorized URL detected! The Web page you are attempting to visit is restricted by your company OR could potentially harm your computer.  If you feel otherwise, select the URL and click "Reclassify" (notifies your administrator) or "Approve" (continues to the Web page)."   Now Trend Micro continues to pop up this same warning - a couple of times per minute.
While the igoogle or google sites are open, it seems the computer is continuing to try to access a variety of sites, because site names keep popping up in the status bar at the bottom, and IE is working to load something.  And then the Trend Micro error message will pop up again.
This seems to happen whenever I click on a google tab - including this tab that I'm typing in right now.  I can go to another tab (i.e., MSN.com) and nothing happens.  But when I go back to this tab, then the Trend Micro error comes up.
Avatar of Kent Dyer
Kent Dyer
Flag of United States of America image

The way that this is acting, you will want to kill the Virus or malware from a Safe Mode session..

HTH,

Kent
Avatar of lyonski
lyonski

ASKER

So do I start in safe mode and then re-run the anti-virus software?  Or do I "kill the virus or malware" some other way?
Thank you!
SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,
According to Symantec, TROJ_FAKEAV.BVU could be also know as Trojan.FakeAV!gen6

So, check on this to fix it:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-102111-3142-99&tabid=3

For more issues or other viruses check this:
http://www.symantec.com/business/security_response/removaltools.jsp

Of course you can try other free tools like:
http://www.microsoft.com/security/scanner/en-us/default.aspx
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

-hope helps-
Try loading Internet explorer without add-ons. It may be related to a harmful extension:
Run command line is as follows:(copy paste the following command into Run in start menu)
"C:\Program Files\Internet Explorer\iexplore.exe" -extoff

Then try to open google and see if acts the same or not.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
lyonski,
I'm just posting to concur with the recommendations from Jonvee.
There are some variants (very few) that require a "Safe Mode" boot, but it is usually best to try everything in "Normal Mode" - when the rogue processes can be identified and killed.

Here are some thoughts on the pluses and minuses of various strategies:
Malware Fighting – Best Practices
Avatar of lyonski

ASKER

So far I've run malwarebytes and combofix.  MBAM found, quarantined and delted a trojan: TROJ_FAKE (with some extension I can't remember.)  I am still having issues.  It seemed related to my daughter's google account.  So I tried signing on to her account from my laptop.  I think I am having the same issue and an additional issue on the laptop.  My laptop uses BitDefender for antivirus.  
I started up the laptop, opened Internet Explorer and then opened BitDefender.  My BitDefender had a warning on the console page indicating that a virus scan hadn't been run in several days.  Then I signed in to MY google account - no issues.  I signed out and then signed in to my daughter's account.  The lower status bar showed that IE was trying to access or open many different web sites.  While this was happening, the status on my BitDefender console now indicates that a scan for viruses has never been done on this computer.  Then some of the web sites trying to be accessed by IE started causing a variety of script errors.
"So far I've run malwarebytes and combofix."
Did you run RogueKiller or RKill before doing that?
You need to stop the rogue processes to allow the scanners to do their job.
Avatar of lyonski

ASKER

No - the suggestions for malwarebytes and combofix were provided before the RogueKiller and RKill suggestions were posted.  But given that I can replicate the problem on my laptop when signing in to my daughter's google account, do you still suspect a rogue process on my desktop?
Any time you are getting a 'redirector' malfunction, it is probably malware related on the system you're using. Anything is possible in the malware world, but I have not yet heard of an 'infected' Google account.

For Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Further details for trouble-shooting malware problems is in this EE Article:
Stop-the-Bleeding-First-Aid-for-Malware