Web searches hijacked by malware

Discussion in 'Computer Security' started by Charles Packer, Dec 7, 2009.

  1. My wife's Windows XP system has suddenly acquired some
    malware that, basically, intervenes in any Web search
    she does for information about computer viruses, etc.,
    i.e. the very information she would need to remove it.
    It also intervenes when ahe attempts to go directly to
    an anti-virus vendor, e.g. symantec.com.

    As a long-time Linux guy, this is the first time I've
    ever seen a seriously infected computer. It seems to want to
    route her to Stopzilla.com, because that's the page
    the usually is the endpoint of the hijacking. I learned
    that Stopzilla is apparently a legitimate vendor.
    So what's going on? There's a ton of information on
    the Web about how to deal with viruses. Does anybody
    here recognize this particular problem and know
    a shortcut to finding a solution to it? Or, let
    me know if more details are needed for a useful
    discussion here.

    --
    Charles Packer
    http://cpacker.org/whatnews
    mailboxATcpacker.org
     
    Charles Packer, Dec 7, 2009
    #1
    1. Advertising

  2. From: "Charles Packer" <>

    | My wife's Windows XP system has suddenly acquired some
    | malware that, basically, intervenes in any Web search
    | she does for information about computer viruses, etc.,
    | i.e. the very information she would need to remove it.
    | It also intervenes when ahe attempts to go directly to
    | an anti-virus vendor, e.g. symantec.com.

    | As a long-time Linux guy, this is the first time I've
    | ever seen a seriously infected computer. It seems to want to
    | route her to Stopzilla.com, because that's the page
    | the usually is the endpoint of the hijacking. I learned
    | that Stopzilla is apparently a legitimate vendor.
    | So what's going on? There's a ton of information on
    | the Web about how to deal with viruses. Does anybody
    | here recognize this particular problem and know
    | a shortcut to finding a solution to it? Or, let
    | me know if more details are needed for a useful
    | discussion here.

    The Vundotrojan/Virtumonde adware has been known to redirect to StopZilla.

    Download, install, update and then execute, Malwarebytes' Anti-Malware
    http://www.malwarebytes.org/mbam/program/mbam-setup.exe


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Dec 7, 2009
    #2
    1. Advertising

  3. On Dec 7, 4:10 pm, "David H. Lipman" <DLipman~>
    wrote:
    > The Vundotrojan/Virtumonde adware has been known to redirect to StopZilla.
    >
    > Download, install, update and then execute, Malwarebytes' Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
    >



    Thanks very much for the name of the thing. I did a
    Google search (on my Linux box, of course) and found
    the article on Vundo to be informative and apparently
    up to date. It did say that the thing attacks the
    MalwareBytes product, but it also had a reference
    to a site with detailed instructions --
    http://www.wikihow.com/Delete-Virtumonde
    that listed several other products. At any rate, it
    looks like I'll have to budget a couple of hours for
    the process, so it may be a few days before I can
    get around to it and report back here.

    --
    Charles Packer
    http://cpacker.org/whatnews
    mailboxATcpacker.org
     
    Charles Packer, Dec 8, 2009
    #3
  4. From: "Charles Packer" <>

    | Thanks very much for the name of the thing. I did a
    | Google search (on my Linux box, of course) and found
    | the article on Vundo to be informative and apparently
    | up to date. It did say that the thing attacks the
    | MalwareBytes product, but it also had a reference
    | to a site with detailed instructions --
    | http://www.wikihow.com/Delete-Virtumonde
    | that listed several other products. At any rate, it
    | looks like I'll have to budget a couple of hours for
    | the process, so it may be a few days before I can
    | get around to it and report back here.

    | --
    | Charles Packer
    | http://cpacker.org/whatnews
    | mailboxATcpacker.org

    Charles:

    Dealing with malware is nothing that should be dealayed UNLESS... the PC is kept off
    during that period.

    Additionally, there is NO reason to wipe the PC and reinstall the OS from scratch at this
    time. No web search hijacking trojan rises to this level of draconian action.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Dec 8, 2009
    #4
  5. Charles Packer

    Fugazi Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
    > From: "Charles Packer" <>
    >
    > | Thanks very much for the name of the thing. I did a
    > | Google search (on my Linux box, of course) and found
    > | the article on Vundo to be informative and apparently
    > | up to date. It did say that the thing attacks the
    > | MalwareBytes product, but it also had a reference
    > | to a site with detailed instructions --
    > | http://www.wikihow.com/Delete-Virtumonde
    > | that listed several other products. At any rate, it
    > | looks like I'll have to budget a couple of hours for
    > | the process, so it may be a few days before I can
    > | get around to it and report back here.
    >
    > | --
    > | Charles Packer
    > | http://cpacker.org/whatnews
    > | mailboxATcpacker.org
    >
    > Charles:
    >
    > Dealing with malware is nothing that should be dealayed UNLESS... the PC is kept off
    > during that period.
    >
    > Additionally, there is NO reason to wipe the PC and reinstall the OS from scratch at this
    > time.
    >
    > No web search hijacking trojan rises to this level of draconian
    > action.


    Well, as far as David assumes. It's mighty hard to prove that
    negative he's attempting to pawn off as fact.

    As such, if you wanna sleep without many worries, flatten and
    rebuild. If you're a gamblin man, remove the malware you know about,
    and do some hoping there isn't malware that you can't detect, and go
    about your day with lingering doubts.

    Note also that attackers are getting very good at search optimization
    so if you go looking for solutions using web searches for a problem
    you have, it's not hard to end up with rogue anti-malware products as
    well as an offered solution to your problem.

    From today's wire feeds, as just one example
    http://news.yahoo.com/s/ap/20091208/ap_on_hi_te/us_tec_search_engine_safety
     
    Fugazi, Dec 8, 2009
    #5
  6. From: "Fugazi" <>

    | Well, as far as David assumes. It's mighty hard to prove that
    | negative he's attempting to pawn off as fact.

    | As such, if you wanna sleep without many worries, flatten and
    | rebuild. If you're a gamblin man, remove the malware you know about,
    | and do some hoping there isn't malware that you can't detect, and go
    | about your day with lingering doubts.

    | Note also that attackers are getting very good at search optimization
    | so if you go looking for solutions using web searches for a problem
    | you have, it's not hard to end up with rogue anti-malware products as
    | well as an offered solution to your problem.

    | From today's wire feeds, as just one example
    | http://news.yahoo.com/s/ap/20091208/ap_on_hi_te/us_tec_search_engine_safety

    All that "example" shows is the nature of the Internet as being the Wild Wild West and NOT
    World Wide Web.

    In actuality we do NOT know what is on the OP's PC. For all we know there could be a
    Mebroot or even a Parite infection. All we have to go on is the OPs words.

    Not all malware requires a wipe and rebuild and if that was the case, EVERYONE would need
    to be doing it once per week.

    Investigation first, cost benefit analysis second and course of action third. If the CBA
    determines wipe a rebuild fine. However such a draconian action can also lead to loss of
    user data, loss of applications and even MORE time than removing a Vundo trojan or Browser
    Helper Object.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Dec 8, 2009
    #6
  7. Charles Packer

    Mike Easter Guest

    I'm somewhat confused by the positions in these discussions.

    Moe Trin wrote:
    > David H. Lipman wrote:
    >> "Fugazi"


    >>> As such, if you wanna sleep without many worries, flatten and
    >>> rebuild. If you're a gamblin man, remove the malware you know
    >>> about, and do some hoping there isn't malware that you can't
    >>> detect, and go about your day with lingering doubts.


    Fugazi sez - one could go either way, flatten/rebuild or just apparent
    malware removal.

    >> In actuality we do NOT know what is on the OP's PC.


    > Users are notoriously unable to describe technical problems, and are
    > even less able to _notice_ that something is wrong.
    >
    >> Not all malware requires a wipe and rebuild and if that was the
    >> case, EVERYONE would need to be doing it once per week.


    DHL seems to be arguing against the flatten/rebuild side of the
    argument, but that was only one side of Fugazi's position.

    > You are assuming the user can make a rational technical decision.
    > Were that the case, the incidence of mal-ware infestations would be
    > much lower.


    > Given that the average user has no clue what is happening with the
    > computer, the alternative is trying to install ``something'' else
    > that the user hopes (but has no guarantee) will do something useful,
    > and isn't another version of mal-ware. But for the same reason, the
    > average user is also quite incapable of a wipe/reinstall.


    MT seems to be arguing with DHL, except to say that the same infected
    user can neither make a rational decision about whether to target
    malware remove *NOR* be able to flatten/rebuild.

    Maybe MT's ultimate argument is that the user should be using an OS less
    vulnerable to such problems, which OS has been installed by the
    'factory' -- maybe a Mac :)


    --
    Mike Easter
     
    Mike Easter, Dec 9, 2009
    #7
  8. Charles Packer

    Mike Easter Guest

    ~BD~ wrote:

    > What advice would you give to 'the average user' who wishes to

    *attempt*
    > to wipe/reinstall Windows successfully?
    >
    > Let us assume that the MBR is infected too!


    None of the last 4 computers which I bought with an OS installed 'from
    the factory' came with a genuine MS OS disk. 2 of them came with
    Linspire preinstalled and 'genuine' linspire disks; 2 of them, 1 XP and
    1 Vista, came only with manufacturers' restore function on/from a
    separate partition on the hdd, no disks, MS or OEM. If you wanted
    disks, the installed OS had a function so that you could burn CDs or
    DVDs to reinstall from the burned opticals instead of from the hdd
    partition. Or you could order such disks from the manufacturer.

    In both of those windows cases, the entire disk image including MBR
    would be rewritten by the restore.

    Back in the old days when buying a computer with windows installed
    actually came with a MS CD or DVD to install with instead of an image
    'pre-packaged' - or 'pre-imaged' - with bloatware, one would format the
    drive prior to the install. The formatting wipes out the boot sector
    which MBR is restored during the course of the install.



    --
    Mike Easter
     
    Mike Easter, Dec 9, 2009
    #8
  9. From: "Moe Trin" <>

    | On Tue, 8 Dec 2009, in the Usenet newsgroup alt.computer.security, in article
    | <>, David H. Lipman wrote:

    >>From: "Fugazi" <>


    >>| As such, if you wanna sleep without many worries, flatten and
    >>| rebuild. If you're a gamblin man, remove the malware you know
    >>| about, and do some hoping there isn't malware that you can't
    >>| detect, and go about your day with lingering doubts.


    >>In actuality we do NOT know what is on the OP's PC.


    | So how then do you assume that the anti-mal-ware tool will be able
    | to remove all of the bad stuff?

    >>For all we know there could be a Mebroot or even a Parite infection.
    >>All we have to go on is the OPs words.


    | Users are notoriously unable to describe technical problems, and are
    | even less able to _notice_ that something is wrong.

    >>Not all malware requires a wipe and rebuild and if that was the
    >>case, EVERYONE would need to be doing it once per week.


    | Not everyone is brain-dead and either clicks OK without reading, has
    | disabled warning messages, or has enabled "auto-install" because it
    | improves their ``internet experience''.

    >>Investigation first, cost benefit analysis second and course of
    >>action third.


    | You are assuming the user can make a rational technical decision.
    | Were that the case, the incidence of mal-ware infestations would be
    | much lower.

    >>If the CBA determines wipe a rebuild fine. However such a draconian
    >>action can also lead to loss of user data, loss of applications and
    >>even MORE time than removing a Vundo trojan or Browser Helper Object.


    | Given that the average user has no clue what is happening with the
    | computer, the alternative is trying to install ``something'' else
    | that the user hopes (but has no guarantee) will do something useful,
    | and isn't another version of mal-ware. But for the same reason, the
    | average user is also quite incapable of a wipe/reinstall.

    | Old guy

    Mo Trin:

    Using the same logic, the average user would have no clue how to backup their data, wipe
    the PC, reinstall the OS, patch it, install all applications, restore their data and setup
    the PC to the same relative working condition.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Dec 9, 2009
    #9
  10. David H. Lipman, Dec 9, 2009
    #10
  11. Charles Packer

    Mike Easter Guest

    ~BD~ wrote:
    > Mike Easter wrote:


    >> None of the last 4 computers which I bought with an OS installed

    'from
    >> the factory' came with a genuine MS OS disk.


    > I have a genuine retail copy of Windows XP on CD, together with SP1,

    SP2
    > and SP3 on CD's supplied by post from Microsft.
    >
    > How certain are you that using the XP CD alone to format before
    > installation will over-write the MBR?


    To be perfectly honest, I don't have one of those real MS ones to look
    at. I generally use tools like Hiren's Boot CD (which I wouldn't
    consider to be free of piracy) or a linux disk to handle formatting or
    partitioning and such.

    > I'm sure that I've read that FDISK or DBAN should first be used to rid
    > malware from the MBR.


    So, if you put the genuine MS derived/sourced XP disk in and boot from
    it, do you get some tools to do things like formatting before you begin?
    I know that I can do whatever I want to with all of the myriad utilities
    on hiren's. Likewise TinyXP.



    --
    Mike Easter
     
    Mike Easter, Dec 9, 2009
    #11
  12. Charles Packer

    Mike Easter Guest

    ~BD~ wrote:
    > Mike Easter wrote:


    >> I don't have one of those real MS ones


    > I've not carried out the install exercise for some months now (not

    since
    > I bought my iMac!) but IIRC there are no 'tools' as such - for the

    likes
    > of me, anyway!
    >
    > When one elects to carry out a new install of XP (this is the Home
    > edition I have) one is asked to format and one can choose 'Quick' or
    > 'normal' (longer!).
    >
    > I'm sorry I can't recall from where I've got this notion about the MBR
    > remaining intact (and possibly still being infected). Perhaps someone
    > else will know.


    I'm reading that the real MS one has tools in the Recovery Console,
    which includes the tools fixboot and fixmbr; and in addition that fdisk
    has the undocumented command fdisk /mbr which rewrites the mbr.

    fixboot writes new bootsector code on the partition; fixmbr repairs the
    mbr of the boot partition for virus damaged mbr

    From MS's kb 314058

    http://support.microsoft.com/kb/314058 Option 2: Starting the Windows
    Recovery Console from the Windows XP CD-ROM - If you have not
    preinstalled the Windows Recovery Console, you can start the computer
    and use the Recovery Console directly from your original Windows XP
    installation disc.

    .... and then it goes on to describe all of the tools including fixmbr &
    fixboot


    --
    Mike Easter
     
    Mike Easter, Dec 10, 2009
    #12
  13. Charles Packer

    Mike Easter Guest

    Mike Easter wrote:
    > ~BD~ wrote:


    >> When one elects to carry out a new install of XP (this is the Home
    >> edition I have) one is asked to format and one can choose 'Quick' or
    >> 'normal' (longer!).
    >>
    >> I'm sorry I can't recall from where I've got this notion about the MBR
    >> remaining intact (and possibly still being infected). Perhaps someone
    >> else will know.

    >
    > I'm reading that the real MS one has tools in the Recovery Console,
    > which includes the tools fixboot and fixmbr; and in addition that fdisk
    > has the undocumented command fdisk /mbr which rewrites the mbr.


    Personally, I would much rather work with choices from all of the tools
    in something like Hiren's or TinyXP or a linux live CD.

    There are lots of utility boot disks that have a lot more friendly tools
    than what is described for the genuine XP install disk.



    --
    Mike Easter
     
    Mike Easter, Dec 10, 2009
    #13
  14. Charles Packer

    Mike Easter Guest

    ~BD~ wrote:
    > Mike Easter wrote:


    >>> I'm reading that the real MS one has tools in the Recovery Console,
    >>> which includes the tools fixboot and fixmbr;


    >> Personally, I would much rather work with choices from all of the
    >> tools in something like Hiren's or TinyXP or a linux live CD.


    > I do recall trying to access the Recovery Console in the dim and

    distant
    > past, but vaguely remember getting stuck when faced with item 3./4. -
    > "When you are prompted, type the Administrator password".


    Here's how you get to and use the Recovery Console. Select the R for
    Recovery Console at the blue Startup screen. The first Recovery Console
    screen changes to black and requests which installation and if there is
    only one, you must press 1 before Enter. Then comes the prompt for
    Admin pw; but the default is blank so you just hit Enter. This article
    shows you screenshots of all of that. http://snipr.com/tmxx4 How to
    access the Recovery Console:

    You can use the Help to see the commands and Help command to get a
    little info about them. That MS kb article I cited earlier also
    describes the commands.

    > Might it be reasonable to deduce that unless one does actually use the
    > Recovery Console to rewrite the MBR (or use one of the other methods

    you
    > have mentioned) simply running the 'Install' procedure on the Windows
    > set-up CD *could* leave a virus or other form of malware sitting in

    the
    > MBR ready to pounce once again into the bright and shiny new
    > installation?


    If you have a damaged or infected mbr, the routine XP install won't do
    anything about it. I once had a problem mbr, not from a virus but from
    some kind of grub misadventure. It was such 'strange' damage that I had
    to use a sector editor to zero it out; fix mbr didn't work. That is
    another example in which it seemed to me that I needed some tools with
    more flexibility or power than the hammer and chisel ones such as are
    listed in the MS Recovery Console.

    > I wonder if that's what 'Moe Trin' was getting at.


    When you refer to ?something? someone was 'getting at', you should find
    their words and quote them.


    --
    Mike Easter
     
    Mike Easter, Dec 10, 2009
    #14
  15. From: "Moe Trin" <>

    | On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article
    | <>, David H. Lipman wrote:

    >>From: "Moe Trin" <>


    >>| Given that the average user has no clue what is happening with the
    >>| computer, the alternative is trying to install ``something'' else
    >>| that the user hopes (but has no guarantee) will do something useful,
    >>| and isn't another version of mal-ware. But for the same reason, the
    >>| average user is also quite incapable of a wipe/reinstall.


    >>Using the same logic, the average user would have no clue how to
    >>backup their data, wipe the PC, reinstall the OS, patch it, install
    >>all applications, restore their data and setup the PC to the same
    >>relative working condition.


    | You notice that? At best, they may know to take the computer to
    | some store and hope that there is someone there who can ``fix''
    | the problem with the computer (it's NEVER a user problem) for not
    | to much money. More likely, they'll look for some magic software
    | that they can install that will stop the computer from getting
    | sick... or maybe there's a pill or some lotion you can...

    | Old guy

    Pill.

    Everybody is always searching for that magic pill that cures all ailments.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
    David H. Lipman, Dec 10, 2009
    #15
  16. Charles Packer

    Mike Easter Guest

    ~BD~ wrote:

    > It is good to hear you confirm that a routine install of XP does *not*
    > correct an infected MBR.
    >

    http://www.symantec.com/connect/blogs/bootroot-trojanmebroot-rootkit-you
    r-mbr
    >
    > AFAICT, there is no easy way to determine if one has actually

    attracted
    > such an infection.


    I think that many people who have a regular program for scanning also
    include a strategy for scanning the boot sector. An important feature
    of the popular free AV Avast is its capabilities to do a bootsector
    scan.

    When you read articles about how those who provide tech services go
    about 'attacking' a sick machine, the bootsector scan is part of the
    routine.

    > Perhaps whenever one feels it necessary to reinstall Windows, the MBR
    > should be rewritten first.


    There are many different kinds of reasons to be reinstalling, and some
    of them include rewriting the mbr.

    > FYI, I have now used my XP CD to boot to the Recovery Console just as
    > you have described. Thank you! :)


    There's nothing quite like seeing it for yourself.



    --
    Mike Easter
     
    Mike Easter, Dec 11, 2009
    #16
  17. On Dec 8, 10:40 am, ~BD~ <> wrote:
    > Charles, from my own past experience of experimenting with malware
    > infection, it will be much quicker and easier to simply flatten the
    > machine (remove all partitions) and re-install Windows from scratch!


    I agree. Given the complexity of removing this particular
    malware, I'd go for re-installing if it were my box.
    I go back to the days when hard drives were
    unreliable, and I've kept offline backups of all my
    important software and data ever since. Anybody
    who's prepared for a hard drive failure is prepared for
    re-installation after a malware attack.

    In this case, though, it's out of my hands now. I came home
    from work with a printout of the Wiki-how instructions
    and found that my stepdaughter had transferred her
    Norton subscription to her mother and a Norton technician
    was already working on the box remotely.

    --
    Charles Packer
    http://cpacker.org/whatnews
    mailboxATcpacker.org
     
    Charles Packer, Dec 11, 2009
    #17
  18. Charles Packer

    Mike Easter Guest

    ~BD~ wrote:

    >> When you read articles about how those who provide tech services go
    >> about 'attacking' a sick machine, the bootsector scan is part of the
    >> routine.


    > I know a couple of guys in local computer shops who don't, as far as I
    > know, look at the Boot sector before installing Windows!


    Notice the difference between what I said and what you said.

    I made my reference to people who are fixing a sick - implying
    infected - machine.

    You made your reference simply to guys in computer shops who are
    installing windows. Your referenced guys could certainly be installing
    windows on a clean new not-previously-infected hdd.

    > Perhaps I should mention this to them!


    Or, they could know already know what they are doing while you do not.

    >>> FYI, I have now used my XP CD to boot to the Recovery Console just

    as
    >>> you have described. Thank you! :)
    >>>

    >> There's nothing quite like seeing it for yourself.


    > At the risk of boring you to tears, I tried this on my wife's Acer
    > Aspire 3000 laptop today (it had XP Home from new)
    > ..... using my retail copy of the XP CD. All happened just as before
    > *until* I got to the stage of the password requirement.
    >
    > This time inserting 'nothing' did *not* allow me to proceed! I got a
    > message saying "The password is not valid. Please retype the password"
    > I did the same twice more and was then told "An invalid password has
    > been entered 3 times. To restart your computer, press ENTER".


    MS kb 308402 describes a problem encountered with the pw step when the
    OS has been installed by an OEM using sysprep. The wiki and MS describe
    sysprep.

    > As I have all the re-installation discs supplied when new, I've
    > subsequently flattened and rebuilt the machine this afternoon!
    >
    > I first took the laptop apart and cleaned all dust from the fan with a
    > brush and then gave it a good blow-through with compressed air too!
    >
    > It seems to have a new lease of life now!


    Presumably the reinstallation disks are disk images and one might find
    that if you tried to use your retail copy XP disk that you /still/
    wouldn't be able to access the Recovery Console because of pw problem.


    --
    Mike Easter
     
    Mike Easter, Dec 11, 2009
    #18
  19. Charles Packer

    flow Guest

    It's got her hosts file - just delete everything in there.

    I think it's in:

    *:/windows/system32/drivers/etc/hosts

    Or something like that.
     
    flow, Jan 11, 2010
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kneewax

    M$N filters web searches

    Kneewax, Nov 3, 2004, in forum: Firefox
    Replies:
    1
    Views:
    415
    John Thompson
    Nov 4, 2004
  2. Web Science
    Replies:
    0
    Views:
    460
    Web Science
    Nov 16, 2004
  3. Colin Mckechnie

    delete web searches

    Colin Mckechnie, Apr 21, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    1,800
    trout
    Apr 21, 2005
  4. Web Science
    Replies:
    0
    Views:
    336
    Web Science
    Nov 16, 2004
  5. Weasley

    Hide yourself on Facebook from Web Searches

    Weasley, Dec 22, 2009, in forum: Computer Security
    Replies:
    0
    Views:
    1,726
    Weasley
    Dec 22, 2009
Loading...

Share This Page