# Web searches hijacked by malware

#### Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

•  Subject
• Author
• Posted on

My wife's Windows XP system has suddenly acquired some
malware that, basically, intervenes in any Web search
she does for information about computer viruses, etc.,
i.e. the very information she would need to remove it.
It also intervenes when ahe attempts to go directly to
an anti-virus vendor, e.g. symantec.com.

As a long-time Linux guy, this is the first time I've
ever seen a seriously infected computer. It seems to want to
route her to Stopzilla.com, because that's the page
the usually is the endpoint of the hijacking. I learned
that Stopzilla is apparently a legitimate vendor.
So what's going on? There's a ton of information on
the Web about how to deal with viruses. Does anybody
here recognize this particular problem and know
a shortcut to finding a solution to it? Or, let
me know if more details are needed for a useful
discussion here.

--
Charles Packer
http://cpacker.org/whatnews
mailboxATcpacker.org

## Re: Web searches hijacked by malware

On 07/12/2009 13:18, Charles Packer wrote:

Hello Charles

Try here: http://www.malwarebytes.org/contact.php

Use the 'blue' button (it is free!)

transfer to a memory stick to install on your wife's machine.

Then scan!  Tell us how you get on please.

HTH

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

| My wife's Windows XP system has suddenly acquired some
| malware that, basically, intervenes in any Web search
| she does for information about computer viruses, etc.,
| i.e. the very information she would need to remove it.
| It also intervenes when ahe attempts to go directly to
| an anti-virus vendor, e.g. symantec.com.

| As a long-time Linux guy, this is the first time I've
| ever seen a seriously infected computer. It seems to want to
| route her to Stopzilla.com, because that's the page
| the usually is the endpoint of the hijacking. I learned
| that Stopzilla is apparently a legitimate vendor.
| So what's going on? There's a ton of information on
| the Web about how to deal with viruses. Does anybody
| here recognize this particular problem and know
| a shortcut to finding a solution to it? Or, let
| me know if more details are needed for a useful
| discussion here.

The Vundotrojan/Virtumonde adware has been known to redirect to StopZilla.

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

--
Dave

## Re: Web searches hijacked by malware

wrote:

Thanks very much for the name of the thing. I did a
Google search (on my Linux box, of course) and found
the article on Vundo to be informative and apparently
up to date. It did say that the thing attacks the
MalwareBytes product, but it also had a reference
to a site with detailed instructions --
http://www.wikihow.com/Delete-Virtumonde
that listed several other products. At any rate, it
looks like I'll have to budget a couple of hours for
the process, so it may be a few days before I can
get around to it and report back here.

--
Charles Packer
http://cpacker.org/whatnews
mailboxATcpacker.org

## Re: Web searches hijacked by malware

On 08/12/2009 12:12, Charles Packer wrote:

Whilst you may *enjoy* the experience of 'cleaning' your wife's laptop,
Charles, from my own past experience of experimenting with malware
infection, it will be much quicker and easier to simply flatten the
machine (remove all partitions) and re-install Windows from scratch!

Such action will also ensure that no back-doors are left open!

If you do this, make sure you have an anti-virus package installed
*before* you reconnect to the Internet!

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

I agree. Given the complexity of removing this particular
malware, I'd go for re-installing if it were my box.
I go back to the days when hard drives were
unreliable, and I've kept offline backups of all my
important software and data ever since. Anybody
who's prepared for a hard drive failure is prepared for
re-installation after a malware attack.

In this case, though, it's out of my hands now. I came home
from work with a printout of the Wiki-how instructions
and found that my stepdaughter had transferred her
Norton subscription to her mother and a Norton technician
was already working on the box remotely.

--
Charles Packer
http://cpacker.org/whatnews
mailboxATcpacker.org

## Re: Web searches hijacked by malware

| Thanks very much for the name of the thing. I did a
| Google search (on my Linux box, of course) and found
| the article on Vundo to be informative and apparently
| up to date. It did say that the thing attacks the
| MalwareBytes product, but it also had a reference
| to a site with detailed instructions --
| http://www.wikihow.com/Delete-Virtumonde
| that listed several other products. At any rate, it
| looks like I'll have to budget a couple of hours for
| the process, so it may be a few days before I can
| get around to it and report back here.

| --
| Charles Packer
| http://cpacker.org/whatnews
| mailboxATcpacker.org

Charles:

Dealing with malware is nothing that should be dealayed UNLESS...  the PC is
kept off
during that period.

Additionally, there is NO reason to wipe the PC and reinstall the OS from
scratch at this
time.  No web search hijacking trojan rises to this level of draconian action.

--
Dave

## Re: Web searches hijacked by malware

Well, as far as David assumes.  It's mighty hard to prove that
negative he's attempting to pawn off as fact.

As such, if you wanna sleep without many worries, flatten and
rebuild.  If you're a gamblin man, remove the malware you know about,
and do some hoping there isn't malware that you can't detect, and go

Note also that attackers are getting very good at search optimization
so if you go looking for solutions using web searches for a problem
you have, it's not hard to end up with rogue anti-malware products as
well as an offered solution to your problem.

From today's wire feeds, as just one example
http://news.yahoo.com/s/ap/20091208/ap_on_hi_te/us_tec_search_engine_safety

## Re: Web searches hijacked by malware

| Well, as far as David assumes.  It's mighty hard to prove that
| negative he's attempting to pawn off as fact.

| As such, if you wanna sleep without many worries, flatten and
| rebuild.  If you're a gamblin man, remove the malware you know about,
| and do some hoping there isn't malware that you can't detect, and go

| Note also that attackers are getting very good at search optimization
| so if you go looking for solutions using web searches for a problem
| you have, it's not hard to end up with rogue anti-malware products as
| well as an offered solution to your problem.

| From today's wire feeds, as just one example
| http://news.yahoo.com/s/ap/20091208/ap_on_hi_te/us_tec_search_engine_safety

All that "example" shows is the nature of the Internet as being the Wild Wild
West and NOT
World Wide Web.

In actuality we do NOT know what is on the OP's PC.  For all we know there could
be a
Mebroot or even a Parite infection.  All we have to go on is the OPs words.

Not all malware requires a wipe and rebuild and if that was the case, EVERYONE
would need
to be doing it once per week.

Investigation first, cost benefit analysis second and course of action third.
If the CBA
determines wipe a rebuild fine.  However such a draconian action can also lead
to loss of
user data, loss of applications and even MORE time than removing a Vundo trojan
or Browser
Helper Object.

--
Dave

## Re: Web searches hijacked by malware

On Tue, 8 Dec 2009, in the Usenet newsgroup alt.computer.security, in article

So how then do you assume that the anti-mal-ware tool will be able
to remove all of the bad stuff?

Users are notoriously unable to describe technical problems, and are
even less able to _notice_ that something is wrong.

disabled warning messages, or has enabled "auto-install" because it
improves their internet experience''.

You are assuming the user can make a rational technical decision.
Were that the case, the incidence of mal-ware infestations would be
much lower.

Given that the average user has no clue what is happening with the
computer, the alternative is trying to install something'' else
that the user hopes (but has no guarantee) will do something useful,
and isn't another version of mal-ware.  But for the same reason, the
average user is also quite incapable of a wipe/reinstall.

Old guy

## Re: Web searches hijacked by malware

On 09/12/2009 19:53, Moe Trin wrote:

What advice would you give to 'the average user' who wishes to *attempt*
to wipe/reinstall Windows successfully?

Let us assume that the MBR is infected too!

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

~BD~ wrote:

*attempt*

None of the last 4 computers which I bought with an OS installed 'from
the factory' came with a genuine MS OS disk.  2 of them came with
Linspire preinstalled and 'genuine' linspire disks;  2 of them, 1 XP and
1 Vista, came only with manufacturers' restore function on/from a
separate partition on the hdd, no disks, MS or OEM.  If you wanted
disks, the installed OS had a function so that you could burn CDs or
DVDs to reinstall from the burned opticals instead of from the hdd
partition.  Or you could order such disks from the manufacturer.

In both of those windows cases, the entire disk image including MBR
would be rewritten by the restore.

Back in the old days when buying a computer with windows installed
actually came with a MS CD or DVD to install with instead of an image
'pre-packaged' - or 'pre-imaged' - with bloatware, one would format the
drive prior to the install.  The formatting wipes out the boot sector
which MBR is restored during the course of the install.

--
Mike Easter

## Re: Web searches hijacked by malware

On 09/12/2009 21:40, Mike Easter wrote:

Thanks for that insight, Mike!  :)

I have a genuine retail copy of Windows XP on CD, together with SP1, SP2
and SP3 on CD's supplied by post from Microsft.

How certain are you that using the XP CD alone to format before
installation will over-write the MBR?

I'm sure that I've read that FDISK or DBAN should first be used to rid
malware from the MBR.

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

~BD~ wrote:

'from

SP2

To be perfectly honest, I don't have one of those real MS ones to look
at.  I generally use tools like Hiren's Boot CD (which I wouldn't
consider to be free of piracy) or a linux disk to handle formatting or
partitioning and such.

So, if you put the genuine MS derived/sourced XP disk in and boot from
it, do you get some tools to do things like formatting before you begin?
I know that I can do whatever I want to with all of the myriad utilities
on hiren's.  Likewise TinyXP.

--
Mike Easter

## Re: Web searches hijacked by malware

On 09/12/2009 23:13, Mike Easter wrote:

I like folk who are honest!  :)

I've not carried out the install exercise for some months now (not since
I bought my iMac!) but IIRC there are no 'tools' as such - for the likes
of me, anyway!

When one elects to carry out a new install of XP (this is the Home
edition I have) one is asked to format and one can choose 'Quick' or
'normal' (longer!).

I'm sorry I can't recall from where I've got this notion about the MBR
remaining intact (and possibly still being infected). Perhaps someone
else will know.

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

~BD~ wrote:

since
likes

I'm reading that the real MS one has tools in the Recovery Console,
which includes the tools fixboot and fixmbr;  and in addition that fdisk
has the undocumented command fdisk /mbr which rewrites the mbr.

fixboot writes new bootsector code on the partition;  fixmbr repairs the
mbr of the boot partition for virus damaged mbr

From MS's kb 314058

http://support.microsoft.com/kb/314058  Option 2: Starting the Windows
Recovery Console from the Windows XP CD-ROM - If you have not
preinstalled the Windows Recovery Console, you can start the computer
and use the Recovery Console directly from your original Windows XP
installation disc.

... and then it goes on to describe all of the tools including fixmbr &
fixboot

--
Mike Easter

## Re: Web searches hijacked by malware

Mike Easter wrote:

Personally, I would much rather work with choices from all of the tools
in something like Hiren's or TinyXP or a linux live CD.

There are lots of utility boot disks that have a lot more friendly tools
than what is described for the genuine XP install disk.

--
Mike Easter

## Re: Web searches hijacked by malware

On 10/12/2009 00:49, Mike Easter wrote:

I'd like to thank you for the time you have spent investigating this
matter, Mike.

I do recall trying to access the Recovery Console in the dim and distant
past, but vaguely remember getting stuck when faced with item 3./4. -

I don't think I was ever able to conjure up a 'password' which would
work and give me access to the tools you mention. <rolls eyes>

The reference item you found  (Microsoft) has been printed out for easy
future reference. Perhaps I'll have another try some time!

Might it be reasonable to deduce that unless one does actually use the
Recovery Console to rewrite the MBR (or use one of the other methods you
have mentioned) simply running the 'Install' procedure on the Windows
set-up CD *could* leave a virus or other form of malware sitting in the
MBR ready to pounce once again into the bright and shiny new installation?

I wonder if that's what 'Moe Trin' was getting at.

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

## Re: Web searches hijacked by malware

~BD~ wrote:

distant

Here's how you get to and use the Recovery Console.  Select the R for
Recovery Console at the blue Startup screen.  The first Recovery Console
screen changes to black and requests which installation and if there is
only one, you must press 1 before Enter.  Then comes the prompt for
shows you screenshots of all of that.  http://snipr.com/tmxx4 How to
access the Recovery Console:

You can use the Help to see the commands and Help command to get a
little info about them.  That MS kb article I cited earlier also
describes the commands.

you
the

If you have a damaged or infected mbr, the routine XP install won't do
anything about it.  I once had a problem mbr, not from a virus but from
some kind of grub misadventure.  It was such 'strange' damage that I had
to use a sector editor to zero it out;  fix mbr didn't work.  That is
another example in which it seemed to me that I needed some tools with
more flexibility or power than the hammer and chisel ones such as are
listed in the MS Recovery Console.

When you refer to ?something? someone was 'getting at', you should find
their words and quote them.

--
Mike Easter

## Re: Web searches hijacked by malware

On 10/12/2009 16:15, Mike Easter wrote:

That information is very helpful. Bookmarked for possible future use.

It sounds as if you are more of a computer 'fixer' than a 'user', Mike!

It is good to hear you confirm that a routine install of XP does *not*
correct an infected MBR.
http://www.symantec.com/connect/blogs/bootroot-trojanmebroot-rootkit-your-mbr

AFAICT, there is no easy way to determine if one has actually attracted
such an infection.
Perhaps whenever one feels it necessary to reinstall Windows, the MBR
should be rewritten first.

You are right. I'm sorry about that ....... but it was not really what
he said, it was what I thought he might have been inferring!

FYI, I have now used my XP CD to boot to the Recovery Console just as
you have described. Thank you!  :)

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)