ftp access compromised - google search redirects to antivirus 2009

I admin the local newspapers website and got a phone call from a user who said that when they tried to access our site from google they got a popup saying their computer was infected...

basically there was a dns redirect in place that (htaccess) tried to get end users to install antivirus 2009.

the tech guy at my isp was very much aware of this, saw the problem right away and deleted it from our servers and sent me the following emaill re: the problem:
____________________________________________________________________________
Thank you for calling. Regarding the issue that you called in about, please review the following information.

Basically, this rogue anti-virus software installs malware on your computer that then sends your sensitive data back to a source. This source then hacks your account and installs htaccess files that redirect to other sites for the download of this same rogue anti-virus software. Information on how this virus originated on the web can be found at the following link:
http://www.techpavan.com/2008/07/15/google...-consider-them/

Or if you are using a MAC, at the following address:
http://www.dslreports.com/forum/r21346127-...09-on-a-MACBOOK

This hack that you are referring to is becoming more prevalent across the internet. As far as our security analyst can tell, all of these hacks are being conducted via malware that has gained access to your ftp login information. You will need to follow the following steps to protect your domains/account in the future. Go to the following link and follow the removal instructions for the removal of this malware. You will need to do this on any computer that has accessed your site via ftp.

http://www.bleepingcomputer.com/malware-re...-antivirus-2009

Once and only once you have checked your computer and/or removed this av2009.exe file, then you will need to change your ftp password information for all of your domains. You will also need to delete these htaccess files from all of your sites. If you have been contacted by google regarding your sites' security, then you will need to follow the directions in this email to have your site re-scanned. This may take some time to resolve if google has cached your site while the injected htaccess files were on your domain.

If you have questions regarding any of this information, please contact our support anytime.

Best Regards,
Pat
Tech Support
____________________________________________________________________________



so my problem(s) is/are twofold in that I have used 2 diff computers to admin the site...

however I know that I did not get this virus in the conventional way, ie: clicking on a popup that says my comp may be infected, scan now etc.

I am still checking the home comp atm, using malwarebytes full scan. a quick scan run earlier found no infections, here are the results:


___________________________________________________________________________

Malwarebytes' Anti-Malware 1.32
Database version: 1643
Windows 5.1.2600 Service Pack 3

1/11/2009 2:29:47 PM
mbam-log-2009-01-11 (14-29-47).txt

Scan type: Quick Scan
Objects scanned: 63569
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________________________________________________________________________

will post updated reults from the full scan when its finished...

if this program doesnt find anything on my comp can I assume I am in the clear for my home pc at leastl?

I am anxious to change my ftp password so another copy of this redirect doesnt end up on my servers...

I suspect its the comp at work that is compromised, but thats another issue for another day.

Thanks in advance for your help

Van

here is the results of the full scan:
_________________________________________
Malwarebytes' Anti-Malware 1.32
Database version: 1643
Windows 5.1.2600 Service Pack 3

1/11/2009 3:38:42 PM
mbam-log-2009-01-11 (15-38-42).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 182932
Time elapsed: 1 hour(s), 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________________________________________


just for grins I did a scan with kaspersky online (and with avast, my pc's normal antivirus software)
kaspersky came up with this:
_________________________________________
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 17:36:27
Records in database: 1603648


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 137562
Threat name 3
Infected objects 2
Suspicious objects 1
Duration of the scan 01:48:57

File name Threat name Threats count
C:\Documents and Settings\John Yanik\Desktop\download quarentine\listalphabetizer.zip Infected: not-a-virus:AdWare.Win32.Rabio.cz 1

C:\Documents and Settings\John Yanik\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (jo db1\Cox MM\153C7E87-00000004.eml Infected: Trojan-Spy.HTML.Paylap.n 1

C:\Documents and Settings\John Yanik\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail (jo db1\Cox MM\26A6701F-0000000E.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.
_______________________________________________

I deleted all 3 of these files, the last 2 were archived emails that have never been opened on this machine...

so the million dollar question is, Am I safe ?

I really need to change my ftp password asap...

any input would be appreciated, I feel 99% sure this comp isn't the problem.

anybody have a similar event? most posts I see here re: this virus had hijacked an end users homepage...

this actually put a redirect on my server where my website is hosted, scary stuff!

I just need to know if I'm taking all the necessary precautions -

Thanks -

Van

just finished running a deep scan w/ avast...

found 0 infected files, but came up with 223 files where it said:

"unable to scan, archive is password protected"

have never seen that before and also adaware and spybot search and destroy are both unable to update definitions.

so much for 99% sure this cpu isnt hacked...

is there another scan I should be running?

I'm sorry your post was overlooked. I'm still researching this Google redirect. It's becoming more prevalent Try this:
------------------------------------------------
ATF
Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now SAS,may need an hour
Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Ok so I have done the malwarebyes scan, adaware, spybot search and destroy and thorough scans with avast and have found nothing on either machine.

I also havent found the htacess file that was reported to have been the source of the redirect. Now that is the very odd part, as I back up my entire website

form the server every morning first thing. I do this because its a news site and Im always adding small bits to the site as the day goes on.


Thanks for the extra steps I will get going on them as soon as I finish my daily update.

Van

I just finished discussing Google redirects with one of the HJT team leaders this morning.
It's pretty obnoxious and none of the common tools seem to work. At this point I would recommend submitting a HJT log:
-----------------------------------
Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".

ok will do - thanks for the help!

so I followed the instructions and posted in the other forum...

meanwhile I was bored so I ran superantispyware in safe mode as per your previous post
and it didnt find anything at all.

thanks again

Van