Posts: 3,499
Threads: 412
Joined: Feb 2003
My wife has a Windows 7 laptop and was complaining that she couldn't do Google searches. I had a look and was mystified. Every Google search returned a 500 Internal Server Error screen. I immediately suspected malware, so I tried various combinations of browsers and search engines. IE didn't allow Google to be accessed at all. Firefox would load Google, but any search resulted in a 500 error. Yahoo and MSN searches were also denied. Metacrawler and Dogpile were allowed, but screw them just because.
She could access any website by manually typing the address into the address bar.
I ran and re-ran MSE, Malwarebytes, Spybot, and a few online security scans. Everything came up clean. I checked other things like her hosts file, and did a /flushdns. I ran some searches on my own computer, but nothing worked.
Right now I am reformatting her computer. Has anyone else seen something like this?
Posts: 5,139
Threads: 299
Joined: Feb 2003
Well if it were 5 years ago I would have run hijackthis, I have no idea if that is still something that is useful nowadays though. In the past I ran into stuff that would do things like that all the time via hidden services and registry changes.
---
It's all just zeroes and ones and duct tape in the end.
Posts: 3,499
Threads: 412
Joined: Feb 2003
(10-29-2011, 01:55 AM)Gnollguy Wrote: Well if it were 5 years ago I would have run hijackthis, I have no idea if that is still something that is useful nowadays though. In the past I ran into stuff that would do things like that all the time via hidden services and registry changes.
I never thought about running hijackthis, but sifting through those logs would have been far more irritating than just reformating her laptop. My wife only had a couple of spreadsheets and word documents she needed to save. I put those on a flash drive.
The reformat is done, and now I'm just waiting on the endless Windows updates. When this is all over I'm going to make Firefox her default browser and install Adblock+. She browses far too many "free coupon" websites, which I'm sure is where this piece of nastiness was picked up from.
Posts: 1,920
Threads: 227
Joined: Feb 2003
Did you try checking if she is being rerouted through a Proxy? I encountered a virus at work that did this to download the virus, so even if we deleted the virus from the computer, the next time we opened a webpage, the virus would load up. After I figured this out and we set it to Automatically Configure the internet, it was still redirecting our searches. As it turns out, the virus had hidden itself in one of the IE and Firefox addons (such as Java Script, Active X, etc.), and none of the virus scanners could catch it. I ran the non-infected online virus scanners Trend Micro in safemode, Norton, Avast, and Kaspersky. They all came up blank. I ran Sophos for rootkits and Microsoft MRT, all in full system scan in safemode. They all came up blank. I ended up just disabling all the add-ons in IE and Firefox and wouldn't you know it... the problem went away! But other than word processing, that computer is pretty much a brick now in terms of what you can do on the net. I was going to try Chrome and see if a new browser with uncorrupted add-ons would work (I bet it would), but I never got a chance.
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Posts: 3,499
Threads: 412
Joined: Feb 2003
10-29-2011, 04:01 AM
(This post was last modified: 10-29-2011, 04:02 AM by DeeBye.)
(10-29-2011, 03:07 AM)Taem Wrote: Did you try checking if she is being rerouted through a Proxy?
I didn't bother. If all of the anti-malware stuff I threw at it couldn't find the problem, I assumed that removing it was way harder than just reformating/reinstalling Windows.
edit: it seems that removing bloatware from an Acer laptop is a hassle as well.
Posts: 557
Threads: 134
Joined: Feb 2005
Almost all out of the box computers are infested with bloatware. Currently managing to run Win7, MS Office 2010, and some games on a 120 GB drive.
Posts: 2,949
Threads: 183
Joined: Jul 2004
This is why it's a good idea to have a copy of W7 burned to a CD. Grab the necessary drivers from the manufacturer and burn those to a CD as well. Then install W7 clean using the Product Key supplied with the system (if you didn't get one from the OEM, tell Microsoft as that is not allowed), install drivers, then update from Windows Update and you have a clean system without all the bloatware.
Sith Warriors - They only class that gets a new room added to their ship after leaving Hoth, they get a Brooncloset
Einstein said Everything is Relative.
Heisenberg said Everything is Uncertain.
Therefore, everything is relatively uncertain.
Posts: 1,920
Threads: 227
Joined: Feb 2003
(10-30-2011, 04:04 PM)Lissa Wrote: This is why it's a good idea to have a copy of W7 burned to a CD. Grab the necessary drivers from the manufacturer and burn those to a CD as well. Then install W7 clean using the Product Key supplied with the system (if you didn't get one from the OEM, tell Microsoft as that is not allowed), install drivers, then update from Windows Update and you have a clean system without all the bloatware.
Or just image your drive after you've downloaded all the Win 7 updates and updated all your drivers .
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Posts: 2,949
Threads: 183
Joined: Jul 2004
(10-30-2011, 06:29 PM)Taem Wrote: (10-30-2011, 04:04 PM)Lissa Wrote: This is why it's a good idea to have a copy of W7 burned to a CD. Grab the necessary drivers from the manufacturer and burn those to a CD as well. Then install W7 clean using the Product Key supplied with the system (if you didn't get one from the OEM, tell Microsoft as that is not allowed), install drivers, then update from Windows Update and you have a clean system without all the bloatware.
Or just image your drive after you've downloaded all the Win 7 updates and updated all your drivers .
That doesn't help if you still have the bloatware from the OEMs in there. The idea is that once you get the machine, you reinstall with a clean W7 before doing anything else to remove the loaded bloatware.
Sith Warriors - They only class that gets a new room added to their ship after leaving Hoth, they get a Brooncloset
Einstein said Everything is Relative.
Heisenberg said Everything is Uncertain.
Therefore, everything is relatively uncertain.
Posts: 1,182
Threads: 62
Joined: Nov 2004
I've run into the same exact issue on one of our work laptops. The strange thing is, it seems to be bound to the connection, not anything on the laptop. If the user hooks up to his home RoadRunner connection, Google/Yahoo/etc searches work fine. If he runs through his work connection (a Netscreen router device that plugs into his RoadRunner connection), all his searches are blocked. I gave him a different laptop to take home and test, and the same thing happened on that one.
We're baffled, to say the least.
Posts: 1,920
Threads: 227
Joined: Feb 2003
(10-31-2011, 12:04 AM)RTM Wrote: I've run into the same exact issue on one of our work laptops. The strange thing is, it seems to be bound to the connection, not anything on the laptop. If the user hooks up to his home RoadRunner connection, Google/Yahoo/etc searches work fine. If he runs through his work connection (a Netscreen router device that plugs into his RoadRunner connection), all his searches are blocked. I gave him a different laptop to take home and test, and the same thing happened on that one.
We're baffled, to say the least.
That's fascinating. I wonder if somehow his router got a virus (I've never heard of that before), or at least, his computer got a virus that changed some settings on the router, maybe opened some ports for backdoor fun or something. I would have him hard reset his router to factory settings, apply the latest firmware upgrade, unplug all other network devices that may have the virus in them, then see what happens. If his computer is still blocking searches, then that is truly baffling. If not, then I think you got your answer.
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Posts: 7,955
Threads: 286
Joined: Feb 2003
(11-04-2011, 07:58 PM)Taem Wrote: We're baffled, to say the least.
I've run into similar malware. It inserted itself directly into a layer of the network stack. I tried to excise it, but only ended up damaging the operating system. Eventually, I saved off the stuff I needed, wiped the hard drive, and reinstalled from scratch. After awhile, it gets to be the safest, more expedient method anyway. Then, you have no fear of lingering effects either.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.
Posts: 1,920
Threads: 227
Joined: Feb 2003
(11-04-2011, 11:22 PM)kandrathe Wrote: (11-04-2011, 07:58 PM)Taem Wrote: We're baffled, to say the least.
I've run into similar malware. It inserted itself directly into a layer of the network stack. I tried to excise it, but only ended up damaging the operating system. Eventually, I saved off the stuff I needed, wiped the hard drive, and reinstalled from scratch. After awhile, it gets to be the safest, more expedient method anyway. Then, you have no fear of lingering effects either.
He's saying that even with a new computer theuntil virus came back.
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Posts: 7,955
Threads: 286
Joined: Feb 2003
(11-04-2011, 11:50 PM)Taem Wrote: He's saying that even with a new computer theuntil virus came back. Just connecting any unprotected machine to an infected network would return the virus. It turned out the voicemail server, running an ancient OS version, was our vector. We finally found it using a packet sniffer. And, then, we had to upgrade the phone system...
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.
Posts: 1,182
Threads: 62
Joined: Nov 2004
Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...
If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?
Posts: 7,955
Threads: 286
Joined: Feb 2003
(11-07-2011, 04:17 PM)RTM Wrote: Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...
If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network? I would suspect something like hardwired routing tables. He was probably infected at home, so to the hijacked it would appear to be business as usual. At work, with the firewalls in place, the Trojan is revealed.
The nastiest crap I've had to deal with worms itself into eproms, where the only solution is to reflash the BIOS and all programmable firmware. A consultant working for me once had a drive firmware virus that forced itself to wipe the drive on boot. Frustrating, until you take it down to the hardware level.
I've seen some components (NIC's, drives) messed up enough where it's cheaper, in terms of time, to just buy a new one.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.
Posts: 1,781
Threads: 181
Joined: Feb 2003
(11-07-2011, 04:17 PM)RTM Wrote: Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...
If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?
Can you reflash the router with the image of the proper configuration? I kind of doubt that the problem is an infested router though. But someone may have changed a setting.
"I may be old, but I'm not dead."
Posts: 7,955
Threads: 286
Joined: Feb 2003
11-07-2011, 07:31 PM
(This post was last modified: 11-07-2011, 07:32 PM by kandrathe.)
(11-07-2011, 05:38 PM)LavCat Wrote: (11-07-2011, 04:17 PM)RTM Wrote: Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...
If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?
Can you reflash the router with the image of the proper configuration? I kind of doubt that the problem is an infested router though. But someone may have changed a setting. ... and I would examine the netscreen logs to see "if" and "what" the router actually did to the packet, and then track back to the "why" of any rules or ip blacklisting. This is why I love a Linux laptop with a good packet sniffer (e.g. Wireshark). You can answer questions like... does it even get to the firewall, and does it get past it. How does it look different than a request from another computer that does work.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.
|