• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

Browser redirected, has anyone seen this one

Hello,

I believe one of our networked computers is infected with a rogue antivirus program.  The symptoms included pop-up boxes warning of multiple viruses, and the browser was pointing to the folowing url:
http://safe-your-pc008.com/scn1/?engine=%3D3Qz0jTuMjQzLjEzMC4xOTgmcGlkPTQwczEwJnRpbWU9MTI2MTc4OI0NaA%3DM


malwareurl.com hassafe-your-pc008.com listed as Fast Flux Rogue Antivirus, however I can't find anything else about this anywhere.


I had to force the browser closed with task manager to close all the pop-up wndows.

This machine is running windows 2000 sp4.
Malwarebytes found nothing.  I ran superantispyware and it deleted lots of tracking cookies.

I'm now running kapersky's viruse removal tool to see if it finds anything.

What I really want to know is if anyone has had experience with fast flux or any other browser redirector?

Also, is there anyway to possibly tell what site it came from?  It looks like browser history has been deleted and the only record I have are the cookies and the index.dat fiiles under history.ie5.  Anyone know a good way to view those index files?

Thanks,

Maureen



virus3.jpg
0
maureen99
Asked:
maureen99
  • 8
  • 5
  • 3
  • +1
4 Solutions
 
Kyle AbrahamsSenior .Net DeveloperCommented:
would try combofix & smitfraud and hijackthis.

Not good on the forensics part but those will fix 85% of all problems.
0
 
MagicFarmerCommented:
I think you will want to run an antiroot kit at least once prior to your other windows-based anti-malware.

Sophos makes a good one:  http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

After you have run the antiroot kit, update and run your other anti malware programs.  Combofix and Malwarebytes is the best place to start.
0
 
maureen99Author Commented:
Thanks...I will definately do the combofix , smitfraud and sophos anti-rootkit.

Does anyone have a good link for smitfraud?

Unfortunately, it now may have spread to a second pc on that subnet.  

Malware bytes ran on the initial pc and didn't find anything, I did a successfull update before I ran it.  However, Kaspersky virus removal tool 2010 did find Trojan.Win32.FraudPack.ajsx in the file pack_40s10[1].exe.  This file was in one of the folders under content.ie5.

I have started Kaspersky on the second potentially infected pc and will likely start the rootkits on the others tomorrow.

I like malwarebytes alot and will continue to use it but I'm also  impressed that kaspersky found this and malwarebytes did not.


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rpggamergirlCommented:
Use ComboFix as already suggested. Smitfraudfix hasn't been updated in a while from what I've seen... Hijackthis won't help.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
0
 
rpggamergirlCommented:
Last update of Smitfraudfix was June, http://siri.geekstogo.com/SmitfraudFix.php
ComboFix is your best bet, just attach the log so we can check to make sure it's clean as ComboFix does not automatically remove all bad files in its first run that why we need to check the log.
Combofix also detects rootkits.
0
 
maureen99Author Commented:
I downloaded combofix to the desktop and renamed the executable when I saved it.  I tried to install it and got an error message when I did, I have enclosed the error message.  This machine also kicked me out of VNC and I am going to it at it's remote location.  I was told by the users there that more errors were on the screen.

This is the same machine where the Trojan.Win32.FraudPack.ajsx in the file pack_40s10[1].exe was found by kaspersky.

This machine also kicked me out of VNC and I am on my way to it at a remote location.  I was told by the users there that more errors were on the screen.

On the second machine Kaspersky found nothing but malwarebytes found 6 infections including Trojan.FakeAlert.H, Rogue.Security.Tool and Rogue.Multiple.




ErrorInstallingCombofix.jpg
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Try renaming the file (which it looks like you arleady did) but also move it to the C drive.

It's also recommended that you boot to safe mode when you run this.  

Note respond NO if prompted to download or install the windows recovery console.

0
 
maureen99Author Commented:
This is the combofix log of the machine infected with Trojan.Win32.FraudPack.ajsx in the file pack_40s10[1].exe.

If anyone can gather anything from this and let me know, thank you!
combofixlog1-8-09.txt
0
 
maureen99Author Commented:
I am finding viruses all over our network now.  I suppose I will have to come in tomorrow, saturday to try and clean the machines.

Has anyone else had to deal with a network wide infection and if so, would you mind sharing what happened?

At this point I would like any advice at all!

thanks alot,

Maureen
0
 
rpggamergirlCommented:
Is the the latest download of Combofix?

c:\winnt\system32\comres.dll . . . is infected!!

the file comres.dll is the culprit... and since ComboFix did not replace it maybe it didn't find a valid one from the system... you may need to get it from the CD or somewhere else to replace that file.


0
 
maureen99Author Commented:
Thank you so much for all the assistance.  I will take the steps suggested and get back to you.
0
 
maureen99Author Commented:
I have replaced the comres.dll file.  At least I did this:
1--Unhid all system files

2--Searched for the file and it did not exist in the directory reported, c:\windows\system32

3--I pasted the new comres.dll file into the c:\windows\system32 directory reasoning that if I overlooked it I would be prompted to replace it, I was not and the file copied

4--Restarted and ran combofix again, the log is enclosed.

I would greatly appreciate any more comments, insight and/or advice on any of this before I declare the machine clean.


ComboFix.txt
0
 
rpggamergirlCommented:
Good job, Combofix are not flaging that file as infected.
Has the redirects stopped?
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
I would keep an eye on it over the next few days to ensure nothing out of the ordinary grabs your attention.  Besides that though, if you're not getting any hits from any of those programs, I think you're pretty much done.
0
 
maureen99Author Commented:
Hi ged325,

I agree with you, I will continue to monitor but I also think we're done.  A few final observations :

First, Several of the browsers had 4 toobars installed; google, msn, ask and yahoo.

Second, as far as combofix reporting comres.dll as infected I believe it was a false positive.  I base this on the fact that 1) the file reported did not exist and 2) all the machines that reported it were windows 2000.  None of the XP machines reported any problems with this file.

Thanks again for all the help!
0
 
maureen99Author Commented:
One more thing,  I was going to download combofix from bleepingcomputer.com again and run it on a windows 2000 machine that was not infected to see if I got the same report on comres.dll but the link at bleepingcomputer says the author is fixing a problem with combofix and do not download it.

From the website at http://download.bleepingcomputer.com/sUBs/ComboFix.html :

ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page.

At any rate, thanks again for all the help.
0
 
rpggamergirlCommented:
Yeah...... and we'll just have to wait till he put it back up again.

Till then, there are other tools available that we can use if necessary.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 8
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now