Browser redirected, has anyone seen this one
Hello,
I believe one of our networked computers is infected with a rogue antivirus program. The symptoms included pop-up boxes warning of multiple viruses, and the browser was pointing to the folowing url:
http://safe-your-pc008.com/scn1/?engine=%3D3Qz0jTuMjQzLjEzMC4xOTgmcGlkPTQwczEwJnRpbWU9MTI2MTc4OI0NaA%3DM
malwareurl.com hassafe-your-pc008.com listed as Fast Flux Rogue Antivirus, however I can't find anything else about this anywhere.
I had to force the browser closed with task manager to close all the pop-up wndows.
This machine is running windows 2000 sp4.
Malwarebytes found nothing. I ran superantispyware and it deleted lots of tracking cookies.
I'm now running kapersky's viruse removal tool to see if it finds anything.
What I really want to know is if anyone has had experience with fast flux or any other browser redirector?
Also, is there anyway to possibly tell what site it came from? It looks like browser history has been deleted and the only record I have are the cookies and the index.dat fiiles under history.ie5. Anyone know a good way to view those index files?
Thanks,
Maureen
virus3.jpg
I believe one of our networked computers is infected with a rogue antivirus program. The symptoms included pop-up boxes warning of multiple viruses, and the browser was pointing to the folowing url:
http://safe-your-pc008.com/scn1/?engine=%3D3Qz0jTuMjQzLjEzMC4xOTgmcGlkPTQwczEwJnRpbWU9MTI2MTc4OI0NaA%3DM
malwareurl.com hassafe-your-pc008.com listed as Fast Flux Rogue Antivirus, however I can't find anything else about this anywhere.
I had to force the browser closed with task manager to close all the pop-up wndows.
This machine is running windows 2000 sp4.
Malwarebytes found nothing. I ran superantispyware and it deleted lots of tracking cookies.
I'm now running kapersky's viruse removal tool to see if it finds anything.
What I really want to know is if anyone has had experience with fast flux or any other browser redirector?
Also, is there anyway to possibly tell what site it came from? It looks like browser history has been deleted and the only record I have are the cookies and the index.dat fiiles under history.ie5. Anyone know a good way to view those index files?
Thanks,
Maureen
virus3.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks...I will definately do the combofix , smitfraud and sophos anti-rootkit.
Does anyone have a good link for smitfraud?
Unfortunately, it now may have spread to a second pc on that subnet.
Malware bytes ran on the initial pc and didn't find anything, I did a successfull update before I ran it. However, Kaspersky virus removal tool 2010 did find Trojan.Win32.FraudPack.ajs
I have started Kaspersky on the second potentially infected pc and will likely start the rootkits on the others tomorrow.
I like malwarebytes alot and will continue to use it but I'm also impressed that kaspersky found this and malwarebytes did not.
Does anyone have a good link for smitfraud?
Unfortunately, it now may have spread to a second pc on that subnet.
Malware bytes ran on the initial pc and didn't find anything, I did a successfull update before I ran it. However, Kaspersky virus removal tool 2010 did find Trojan.Win32.FraudPack.ajs
I have started Kaspersky on the second potentially infected pc and will likely start the rootkits on the others tomorrow.
I like malwarebytes alot and will continue to use it but I'm also impressed that kaspersky found this and malwarebytes did not.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I downloaded combofix to the desktop and renamed the executable when I saved it. I tried to install it and got an error message when I did, I have enclosed the error message. This machine also kicked me out of VNC and I am going to it at it's remote location. I was told by the users there that more errors were on the screen.
This is the same machine where the Trojan.Win32.FraudPack.ajs
This machine also kicked me out of VNC and I am on my way to it at a remote location. I was told by the users there that more errors were on the screen.
On the second machine Kaspersky found nothing but malwarebytes found 6 infections including Trojan.FakeAlert.H, Rogue.Security.Tool and Rogue.Multiple.
ErrorInstallingCombofix.jpg
This is the same machine where the Trojan.Win32.FraudPack.ajs
This machine also kicked me out of VNC and I am on my way to it at a remote location. I was told by the users there that more errors were on the screen.
On the second machine Kaspersky found nothing but malwarebytes found 6 infections including Trojan.FakeAlert.H, Rogue.Security.Tool and Rogue.Multiple.
ErrorInstallingCombofix.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the combofix log of the machine infected with Trojan.Win32.FraudPack.ajs
If anyone can gather anything from this and let me know, thank you!
combofixlog1-8-09.txt
If anyone can gather anything from this and let me know, thank you!
combofixlog1-8-09.txt
ASKER
I am finding viruses all over our network now. I suppose I will have to come in tomorrow, saturday to try and clean the machines.
Has anyone else had to deal with a network wide infection and if so, would you mind sharing what happened?
At this point I would like any advice at all!
thanks alot,
Maureen
Has anyone else had to deal with a network wide infection and if so, would you mind sharing what happened?
At this point I would like any advice at all!
thanks alot,
Maureen
Is the the latest download of Combofix?
c:\winnt\system32\comres.d
the file comres.dll is the culprit... and since ComboFix did not replace it maybe it didn't find a valid one from the system... you may need to get it from the CD or somewhere else to replace that file.
c:\winnt\system32\comres.d
the file comres.dll is the culprit... and since ComboFix did not replace it maybe it didn't find a valid one from the system... you may need to get it from the CD or somewhere else to replace that file.
ASKER
Thank you so much for all the assistance. I will take the steps suggested and get back to you.
ASKER
I have replaced the comres.dll file. At least I did this:
1--Unhid all system files
2--Searched for the file and it did not exist in the directory reported, c:\windows\system32
3--I pasted the new comres.dll file into the c:\windows\system32 directory reasoning that if I overlooked it I would be prompted to replace it, I was not and the file copied
4--Restarted and ran combofix again, the log is enclosed.
I would greatly appreciate any more comments, insight and/or advice on any of this before I declare the machine clean.
ComboFix.txt
1--Unhid all system files
2--Searched for the file and it did not exist in the directory reported, c:\windows\system32
3--I pasted the new comres.dll file into the c:\windows\system32 directory reasoning that if I overlooked it I would be prompted to replace it, I was not and the file copied
4--Restarted and ran combofix again, the log is enclosed.
I would greatly appreciate any more comments, insight and/or advice on any of this before I declare the machine clean.
ComboFix.txt
Good job, Combofix are not flaging that file as infected.
Has the redirects stopped?
Has the redirects stopped?
I would keep an eye on it over the next few days to ensure nothing out of the ordinary grabs your attention. Besides that though, if you're not getting any hits from any of those programs, I think you're pretty much done.
ASKER
Hi ged325,
I agree with you, I will continue to monitor but I also think we're done. A few final observations :
First, Several of the browsers had 4 toobars installed; google, msn, ask and yahoo.
Second, as far as combofix reporting comres.dll as infected I believe it was a false positive. I base this on the fact that 1) the file reported did not exist and 2) all the machines that reported it were windows 2000. None of the XP machines reported any problems with this file.
Thanks again for all the help!
I agree with you, I will continue to monitor but I also think we're done. A few final observations :
First, Several of the browsers had 4 toobars installed; google, msn, ask and yahoo.
Second, as far as combofix reporting comres.dll as infected I believe it was a false positive. I base this on the fact that 1) the file reported did not exist and 2) all the machines that reported it were windows 2000. None of the XP machines reported any problems with this file.
Thanks again for all the help!
ASKER
One more thing, I was going to download combofix from bleepingcomputer.com again and run it on a windows 2000 machine that was not infected to see if I got the same report on comres.dll but the link at bleepingcomputer says the author is fixing a problem with combofix and do not download it.
From the website at http://download.bleepingcomputer.com/sUBs/ComboFix.html :
ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page.
At any rate, thanks again for all the help.
From the website at http://download.bleepingcomputer.com/sUBs/ComboFix.html :
ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page.
At any rate, thanks again for all the help.
Yeah...... and we'll just have to wait till he put it back up again.
Till then, there are other tools available that we can use if necessary.
Till then, there are other tools available that we can use if necessary.
Sophos makes a good one: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
After you have run the antiroot kit, update and run your other anti malware programs. Combofix and Malwarebytes is the best place to start.