I admin the local newspapers website and got a phone call from a user who said that when they tried to access our site from google they got a popup saying their computer was infected...
basically there was a dns redirect in place that (htaccess) tried to get end users to install antivirus 2009.
the tech guy at my isp was very much aware of this, saw the problem right away and deleted it from our servers and sent me the following emaill re: the problem:
____________________________________________________________________________
Thank you for calling. Regarding the issue that you called in about, please review the following information.
Basically, this rogue anti-virus software installs malware on your computer that then sends your sensitive data back to a source. This source then hacks your account and installs htaccess files that redirect to other sites for the download of this same rogue anti-virus software. Information on how this virus originated on the web can be found at the following link:
http://www.techpavan.com/2008/07/15/google...-consider-them/
Or if you are using a MAC, at the following address:
http://www.dslreports.com/forum/r21346127-...09-on-a-MACBOOK
This hack that you are referring to is becoming more prevalent across the internet. As far as our security analyst can tell, all of these hacks are being conducted via malware that has gained access to your ftp login information. You will need to follow the following steps to protect your domains/account in the future. Go to the following link and follow the removal instructions for the removal of this malware. You will need to do this on any computer that has accessed your site via ftp.
http://www.bleepingcomputer.com/malware-re...-antivirus-2009
Once and only once you have checked your computer and/or removed this av2009.exe file, then you will need to change your ftp password information for all of your domains. You will also need to delete these htaccess files from all of your sites. If you have been contacted by google regarding your sites' security, then you will need to follow the directions in this email to have your site re-scanned. This may take some time to resolve if google has cached your site while the injected htaccess files were on your domain.
If you have questions regarding any of this information, please contact our support anytime.
Best Regards,
Pat
Tech Support
____________________________________________________________________________
so my problem(s) is/are twofold in that I have used 2 diff computers to admin the site...
however I know that I did not get this virus in the conventional way, ie: clicking on a popup that says my comp may be infected, scan now etc.
I am still checking the home comp atm, using malwarebytes full scan. a quick scan run earlier found no infections, here are the results:
___________________________________________________________________________
Malwarebytes' Anti-Malware 1.32
Database version: 1643
Windows 5.1.2600 Service Pack 3
1/11/2009 2:29:47 PM
mbam-log-2009-01-11 (14-29-47).txt
Scan type: Quick Scan
Objects scanned: 63569
Time elapsed: 9 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_________________________________________________________________________
will post updated reults from the full scan when its finished...
if this program doesnt find anything on my comp can I assume I am in the clear for my home pc at leastl?
I am anxious to change my ftp password so another copy of this redirect doesnt end up on my servers...
I suspect its the comp at work that is compromised, but thats another issue for another day.
Thanks in advance for your help
Van