3

I'm not so sure if this is the appropriate place for this, however I accidentally clicked this link which opened a video and infected my windows 2003 std server with this virus which not only creates popup ads but also redirects whatever link I click on within google's search results. IT seems to always go to 

http://ix-find.com/?q=

I have tried ClamWin, adware, spybot, superantispyware, atf-cleaner and fixwareout and noneof those seem to work.

If this isn't the appropriate place for this, could you please directme who is the best place for help with this problem?

thanks in advance.

Mihai Limbăşan
  • 3,081
  • 23
  • 19
phill
  • 327
  • 3
  • 13
  • 20
  • HA! Is that the link? Why post it? for us to click it too? – Saif Khan Jun 10 '09 at 18:16
  • 9
    That will teach you to browse the internet on a server... – Antoine Benkemoun Jun 10 '09 at 18:18
  • yea.. i was trying to download a driver – phill Jun 10 '09 at 19:57
  • You'll want to visit this http://serverfault.com/questions/6190/reinstall-after-a-root-compromise and read through it, especially Robert Moir's excellent response http://serverfault.com/questions/6190/reinstall-after-a-root-compromise/25579#25579 – Avery Payne Jun 14 '09 at 21:48
  • Never ever download drivers except from the manufacturers website OR windows update. Doing anything else will result in issues like this one. – NotMe Sep 10 '09 at 18:37
  • Ah. The irony of running Windows on your server. It's such a silly idea when you stop to think about it. – tylerl Nov 25 '10 at 04:06

10 Answers10

18

If it's a server, it's time to reload. There's no telling what it might have done.

sorry.

MathewC
  • 6,957
  • 9
  • 39
  • 53
  • If rebuilding after an infection I would make sure I boot from the OS disk (rather than starting Setup from command line) and would reformat the Hard Disk as part of the installation. – codybartfast Jun 10 '09 at 21:25
  • Mathew is right, time to reload. If you can't reload try Malware Bytes, it should get it. – IOTAMAN Jun 10 '09 at 17:58
14

You probably have this burned into your brain forever at this point, but to the benefit of those who come after, Thou Shalt Not Browse the Internet from Thy Server

Kara Marfia
  • 7,892
  • 5
  • 33
  • 57
2

THe best thing to do after infecting a machine with any malware is to reinstall. Cleaning malware, even with an AV program or with specific instructions doesnt necessarily remove all traces. I have performed uncountable cleanings by hand and I have used software to clean, but the only 100% way to be sure is a format and reinstall.

Save yourself some possible trouble in the future and format & reinstall.

Again....

Save yourself some possible trouble in the future and format & reinstall.

..and PS - I am sure you have been scolded enough, but browsing the internet on a server? Come on. I am sure there was another machine available.

cop1152
  • 2,656
  • 3
  • 21
  • 32
1

Check the Host file in the C:\WINDOWS\system32\drivers\etc directory if it was tampered with. Also try AVG they seem to be a better scanner these days, IMO.

Saif Khan
  • 1,945
  • 2
  • 20
  • 25
1

This is a server - suggest you put hand in pocket and buy some AV! Remember AVG et al are not free for commercial use.

And then go stand in the corner and think before clicking the little blue e- how important is this computer and what user am I running as?

squillman
  • 37,883
  • 12
  • 92
  • 146
Tom Newton
  • 4,141
  • 2
  • 24
  • 28
1

Yeah, never browse to anything other than manufacturer's sites on a server.

On the last PC I cleaned spyware of off, I did clean it and leave it at that, but usually I view cleaning as a temporary fix to keep it going while the user makes sure all their data is off. Then it gets wiped and reformatted.

On a server, I'd never take a chance - I might clean it just for the exercise, but I'd never hook it up to the network until it was wiped.

I've found bleepingcomputer.com to be a good site for finding info. on cleaning trojans. If someone has posted on that site and been helped to clean it up, you can follow the same clean-up steps.

In terms of tools for spyware, I keep Spybot Search and Destroy around, also Malwarebytes Anti-Malware, and Hijack This.

squillman
  • 37,883
  • 12
  • 92
  • 146
Ward - Trying Codidact
  • 12,899
  • 28
  • 46
  • 59
0

Smells a bit like Koobface. It uses a supporting application called "tinyproxy" to modify the results you get.

I would advise you to make some considerations about the security of any data you need to keep on the machine. Tear it down and start again. Don't attempt to clean it up unless you really have to.

Dan Carley
  • 25,617
  • 5
  • 53
  • 70
  • Another possibility for the infection could be Gumblar: http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html But yeah... server compromise = reinstall – gharper Jun 10 '09 at 19:12
  • It could be any number of things. But I have seen one machine this week doing the ix-find dance it turned out to be Koobface. – Dan Carley Jun 10 '09 at 19:42
0

Try combofix.exe, from bleepingcomputer.com...

That should get rid of mostly everything, however, you should still reinstall that machine. And then never surf the web on it. (or at the very least, create a virtual machine and surf on that)

Roy Rico
  • 612
  • 2
  • 9
  • 20
0

I have had a similar virus on a personal computer. Google search results link to another page, always with the similar "http://ix-find.com/?q=" URL. Malwarebytes catches most of it, but it still comes back, likewise with Spybot S&D. When I used AdAware, it caught more than usual, and now when I click on a search result, I come up a page load error with the same "ix-find" URL.

Not really sure what the next step is, I might try Hijack This.

-1

I would check for RootKits. I see them more and more often on infected machines which display this behaviour, i.e. quietly redirecting clicks to bad URLs.

The best tool I've found so far to get rid of them is RootRepeal.

Which you can get here: http://rootrepeal.googlepages.com/

Alistair McMillan
  • 434
  • 3
  • 9
  • 22