Has anyone dealt with this malware?
#1
My wife has a Windows 7 laptop and was complaining that she couldn't do Google searches. I had a look and was mystified. Every Google search returned a 500 Internal Server Error screen. I immediately suspected malware, so I tried various combinations of browsers and search engines. IE didn't allow Google to be accessed at all. Firefox would load Google, but any search resulted in a 500 error. Yahoo and MSN searches were also denied. Metacrawler and Dogpile were allowed, but screw them just because.

She could access any website by manually typing the address into the address bar.

I ran and re-ran MSE, Malwarebytes, Spybot, and a few online security scans. Everything came up clean. I checked other things like her hosts file, and did a /flushdns. I ran some searches on my own computer, but nothing worked.

Right now I am reformatting her computer. Has anyone else seen something like this?
Reply
#2
Well if it were 5 years ago I would have run hijackthis, I have no idea if that is still something that is useful nowadays though. In the past I ran into stuff that would do things like that all the time via hidden services and registry changes.
---
It's all just zeroes and ones and duct tape in the end.
Reply
#3
(10-29-2011, 01:55 AM)Gnollguy Wrote: Well if it were 5 years ago I would have run hijackthis, I have no idea if that is still something that is useful nowadays though. In the past I ran into stuff that would do things like that all the time via hidden services and registry changes.

I never thought about running hijackthis, but sifting through those logs would have been far more irritating than just reformating her laptop. My wife only had a couple of spreadsheets and word documents she needed to save. I put those on a flash drive.

The reformat is done, and now I'm just waiting on the endless Windows updates. When this is all over I'm going to make Firefox her default browser and install Adblock+. She browses far too many "free coupon" websites, which I'm sure is where this piece of nastiness was picked up from.
Reply
#4
Did you try checking if she is being rerouted through a Proxy? I encountered a virus at work that did this to download the virus, so even if we deleted the virus from the computer, the next time we opened a webpage, the virus would load up. After I figured this out and we set it to Automatically Configure the internet, it was still redirecting our searches. As it turns out, the virus had hidden itself in one of the IE and Firefox addons (such as Java Script, Active X, etc.), and none of the virus scanners could catch it. I ran the non-infected online virus scanners Trend Micro in safemode, Norton, Avast, and Kaspersky. They all came up blank. I ran Sophos for rootkits and Microsoft MRT, all in full system scan in safemode. They all came up blank. I ended up just disabling all the add-ons in IE and Firefox and wouldn't you know it... the problem went away! But other than word processing, that computer is pretty much a brick now in terms of what you can do on the net. I was going to try Chrome and see if a new browser with uncorrupted add-ons would work (I bet it would), but I never got a chance.
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Reply
#5
(10-29-2011, 03:07 AM)Taem Wrote: Did you try checking if she is being rerouted through a Proxy?

I didn't bother. If all of the anti-malware stuff I threw at it couldn't find the problem, I assumed that removing it was way harder than just reformating/reinstalling Windows.

edit: it seems that removing bloatware from an Acer laptop is a hassle as well.
Reply
#6
Almost all out of the box computers are infested with bloatware. Currently managing to run Win7, MS Office 2010, and some games on a 120 GB drive.
Reply
#7
This is why it's a good idea to have a copy of W7 burned to a CD. Grab the necessary drivers from the manufacturer and burn those to a CD as well. Then install W7 clean using the Product Key supplied with the system (if you didn't get one from the OEM, tell Microsoft as that is not allowed), install drivers, then update from Windows Update and you have a clean system without all the bloatware.
Sith Warriors - They only class that gets a new room added to their ship after leaving Hoth, they get a Brooncloset

Einstein said Everything is Relative.
Heisenberg said Everything is Uncertain.
Therefore, everything is relatively uncertain.
Reply
#8
(10-30-2011, 04:04 PM)Lissa Wrote: This is why it's a good idea to have a copy of W7 burned to a CD. Grab the necessary drivers from the manufacturer and burn those to a CD as well. Then install W7 clean using the Product Key supplied with the system (if you didn't get one from the OEM, tell Microsoft as that is not allowed), install drivers, then update from Windows Update and you have a clean system without all the bloatware.

Or just image your drive after you've downloaded all the Win 7 updates and updated all your drivers Tongue .
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Reply
#9
(10-30-2011, 06:29 PM)Taem Wrote:
(10-30-2011, 04:04 PM)Lissa Wrote: This is why it's a good idea to have a copy of W7 burned to a CD. Grab the necessary drivers from the manufacturer and burn those to a CD as well. Then install W7 clean using the Product Key supplied with the system (if you didn't get one from the OEM, tell Microsoft as that is not allowed), install drivers, then update from Windows Update and you have a clean system without all the bloatware.

Or just image your drive after you've downloaded all the Win 7 updates and updated all your drivers Tongue .

That doesn't help if you still have the bloatware from the OEMs in there. The idea is that once you get the machine, you reinstall with a clean W7 before doing anything else to remove the loaded bloatware.
Sith Warriors - They only class that gets a new room added to their ship after leaving Hoth, they get a Brooncloset

Einstein said Everything is Relative.
Heisenberg said Everything is Uncertain.
Therefore, everything is relatively uncertain.
Reply
#10
I've run into the same exact issue on one of our work laptops. The strange thing is, it seems to be bound to the connection, not anything on the laptop. If the user hooks up to his home RoadRunner connection, Google/Yahoo/etc searches work fine. If he runs through his work connection (a Netscreen router device that plugs into his RoadRunner connection), all his searches are blocked. I gave him a different laptop to take home and test, and the same thing happened on that one.

We're baffled, to say the least.
Reply
#11
(10-31-2011, 12:04 AM)RTM Wrote: I've run into the same exact issue on one of our work laptops. The strange thing is, it seems to be bound to the connection, not anything on the laptop. If the user hooks up to his home RoadRunner connection, Google/Yahoo/etc searches work fine. If he runs through his work connection (a Netscreen router device that plugs into his RoadRunner connection), all his searches are blocked. I gave him a different laptop to take home and test, and the same thing happened on that one.

We're baffled, to say the least.

That's fascinating. I wonder if somehow his router got a virus (I've never heard of that before), or at least, his computer got a virus that changed some settings on the router, maybe opened some ports for backdoor fun or something. I would have him hard reset his router to factory settings, apply the latest firmware upgrade, unplug all other network devices that may have the virus in them, then see what happens. If his computer is still blocking searches, then that is truly baffling. If not, then I think you got your answer.
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Reply
#12
(11-04-2011, 07:58 PM)Taem Wrote: We're baffled, to say the least.

I've run into similar malware. It inserted itself directly into a layer of the network stack. I tried to excise it, but only ended up damaging the operating system. Eventually, I saved off the stuff I needed, wiped the hard drive, and reinstalled from scratch. After awhile, it gets to be the safest, more expedient method anyway. Then, you have no fear of lingering effects either.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply
#13
(11-04-2011, 11:22 PM)kandrathe Wrote:
(11-04-2011, 07:58 PM)Taem Wrote: We're baffled, to say the least.

I've run into similar malware. It inserted itself directly into a layer of the network stack. I tried to excise it, but only ended up damaging the operating system. Eventually, I saved off the stuff I needed, wiped the hard drive, and reinstalled from scratch. After awhile, it gets to be the safest, more expedient method anyway. Then, you have no fear of lingering effects either.

He's saying that even with a new computer theuntil virus came back.
"The true value of a human being is determined primarily by the measure and the sense in which he has attained liberation from the self." -Albert Einsetin
Reply
#14
(11-04-2011, 11:50 PM)Taem Wrote: He's saying that even with a new computer theuntil virus came back.
Just connecting any unprotected machine to an infected network would return the virus. It turned out the voicemail server, running an ancient OS version, was our vector. We finally found it using a packet sniffer. And, then, we had to upgrade the phone system...
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply
#15
Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...

If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?
Reply
#16
(11-07-2011, 04:17 PM)RTM Wrote: Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...

If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?
I would suspect something like hardwired routing tables. He was probably infected at home, so to the hijacked it would appear to be business as usual. At work, with the firewalls in place, the Trojan is revealed.

The nastiest crap I've had to deal with worms itself into eproms, where the only solution is to reflash the BIOS and all programmable firmware. A consultant working for me once had a drive firmware virus that forced itself to wipe the drive on boot. Frustrating, until you take it down to the hardware level.

I've seen some components (NIC's, drives) messed up enough where it's cheaper, in terms of time, to just buy a new one.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply
#17
(11-07-2011, 04:17 PM)RTM Wrote: Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...

If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?

Can you reflash the router with the image of the proper configuration? I kind of doubt that the problem is an infested router though. But someone may have changed a setting.
"I may be old, but I'm not dead."
Reply
#18
(11-07-2011, 05:38 PM)LavCat Wrote:
(11-07-2011, 04:17 PM)RTM Wrote: Resetting the router to factory specs isn't really an option since it's a custom-configured corporate-class Netscreen as opposed to a Linksys you'd pick up at Staples. Neither one of the laptops we tried are "unprotected", although the corporate version of McAfee is probably as close to unprotected as you're going to get. Don't even get me started...

If it were malware in the network stack (something I wouldn't rule out), why do searches work fine on his home network?

Can you reflash the router with the image of the proper configuration? I kind of doubt that the problem is an infested router though. But someone may have changed a setting.
... and I would examine the netscreen logs to see "if" and "what" the router actually did to the packet, and then track back to the "why" of any rules or ip blacklisting. This is why I love a Linux laptop with a good packet sniffer (e.g. Wireshark). You can answer questions like... does it even get to the firewall, and does it get past it. How does it look different than a request from another computer that does work.

”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply


Forum Jump:


Users browsing this thread: 13 Guest(s)