Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Virus or trojan, Internet Explorer accessing restricted and porn web sites

Posted on 2011-10-14
11
Medium Priority
?
1,318 Views
Last Modified: 2013-11-22
From the igoogle.com home page, we started having an issue with pornographic web sites coming up randomly, and then many instances of Internet Explorer opening up - like 30.  Suspecting a virus, I ran Trend Micro virus scan.  It found TROJ_FAKEAV.BVU and quarantined  it.  It appeared the issue was fixed.  But then I signed in to my daughter's google account and it quickly opened her google page, but then jumped to a pornographic site.  My Trend Micro gave an error message saying: "Unauthorized URL detected! The Web page you are attempting to visit is restricted by your company OR could potentially harm your computer.  If you feel otherwise, select the URL and click "Reclassify" (notifies your administrator) or "Approve" (continues to the Web page)."   Now Trend Micro continues to pop up this same warning - a couple of times per minute.
While the igoogle or google sites are open, it seems the computer is continuing to try to access a variety of sites, because site names keep popping up in the status bar at the bottom, and IE is working to load something.  And then the Trend Micro error message will pop up again.
This seems to happen whenever I click on a google tab - including this tab that I'm typing in right now.  I can go to another tab (i.e., MSN.com) and nothing happens.  But when I go back to this tab, then the Trend Micro error comes up.
0
Comment
Question by:lyonski
11 Comments
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 36972056
The way that this is acting, you will want to kill the Virus or malware from a Safe Mode session..

HTH,

Kent
0
 

Author Comment

by:lyonski
ID: 36972087
So do I start in safe mode and then re-run the anti-virus software?  Or do I "kill the virus or malware" some other way?
Thank you!
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 600 total points
ID: 36972110
on another computer download malware bytes and combofix


on your malfunctioning computer run msconfig
go to services (hide microsoft services) then uncheck services and startup
let the machine reboot, instert the usb key with malware bytes and combobox fix
now install /run malware bytes let it do its work and make sure it is up to date
if it finds anything have it delete it.. it may say it needs to reboot.. let it reboot.
run msconfig re-enable your trend micro antivirus / firewall
reboot
now go to google.com/ig and see what happens.
if everything is ok go to msconfig enable all the services
now go through your startup items and enable only the ones that you know and that are needed
reboot
check google.com/ig again
hopefully you are back to normal without having to run combofix.
go
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 5

Expert Comment

by:hvillanu
ID: 36972198
Hi,
According to Symantec, TROJ_FAKEAV.BVU could be also know as Trojan.FakeAV!gen6

So, check on this to fix it:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-102111-3142-99&tabid=3

For more issues or other viruses check this:
http://www.symantec.com/business/security_response/removaltools.jsp

Of course you can try other free tools like:
http://www.microsoft.com/security/scanner/en-us/default.aspx
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

-hope helps-
0
 
LVL 10

Expert Comment

by:Arman Khodabande
ID: 36972250
Try loading Internet explorer without add-ons. It may be related to a harmful extension:
Run command line is as follows:(copy paste the following command into Run in start menu)
"C:\Program Files\Internet Explorer\iexplore.exe" -extoff

Then try to open google and see if acts the same or not.
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 1400 total points
ID: 36972429
For browser redirection my suggestion is to run TDSSKiller. Rename TDSSkiller if it refuses to run:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Then try downloading & updating Malwarebytes anti-Malware, from here:
http://www.malwarebytes.org/mbam.php
Run in normal mode.
Tutorial, if required:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

MBAM should remove the problem, but if it won't run, download and run Rkill first.
Do not boot after running Rkill, then run MalwareBytes.

Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools:
http://www.technibble.com/rkill-repair-tool-of-the-week/
http://www.bleepingcomputer.com/forums/topic308364.html

An alternative to Rkill is Rogue-Killer, and EE's  Page Editor younghv has produced a good article here:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
0
 
LVL 38

Expert Comment

by:younghv
ID: 36973420
lyonski,
I'm just posting to concur with the recommendations from Jonvee.
There are some variants (very few) that require a "Safe Mode" boot, but it is usually best to try everything in "Normal Mode" - when the rogue processes can be identified and killed.

Here are some thoughts on the pluses and minuses of various strategies:
Malware Fighting – Best Practices
0
 

Author Comment

by:lyonski
ID: 36976365
So far I've run malwarebytes and combofix.  MBAM found, quarantined and delted a trojan: TROJ_FAKE (with some extension I can't remember.)  I am still having issues.  It seemed related to my daughter's google account.  So I tried signing on to her account from my laptop.  I think I am having the same issue and an additional issue on the laptop.  My laptop uses BitDefender for antivirus.  
I started up the laptop, opened Internet Explorer and then opened BitDefender.  My BitDefender had a warning on the console page indicating that a virus scan hadn't been run in several days.  Then I signed in to MY google account - no issues.  I signed out and then signed in to my daughter's account.  The lower status bar showed that IE was trying to access or open many different web sites.  While this was happening, the status on my BitDefender console now indicates that a scan for viruses has never been done on this computer.  Then some of the web sites trying to be accessed by IE started causing a variety of script errors.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36976416
"So far I've run malwarebytes and combofix."
Did you run RogueKiller or RKill before doing that?
You need to stop the rogue processes to allow the scanners to do their job.
0
 

Author Comment

by:lyonski
ID: 36976474
No - the suggestions for malwarebytes and combofix were provided before the RogueKiller and RKill suggestions were posted.  But given that I can replicate the problem on my laptop when signing in to my daughter's google account, do you still suspect a rogue process on my desktop?
0
 
LVL 38

Expert Comment

by:younghv
ID: 36976507
Any time you are getting a 'redirector' malfunction, it is probably malware related on the system you're using. Anything is possible in the malware world, but I have not yet heard of an 'infected' Google account.

For Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Further details for trouble-shooting malware problems is in this EE Article:
Stop-the-Bleeding-First-Aid-for-Malware
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question