2 Replies Latest reply on May 9, 2013 12:26 PM by drekmonger

    JS/Redirector.ar Trojan Encountered at a Website

    drekmonger

      My wife visited the web site hurricanemop.com  to order a mop from a Dell desktop running Windows XP, IE8 and McAfee Total Protection 2013.  She immediately received a McAfee firewall notice that a JS/Redirector.ar trojan had been encountered and had been quaranteened.  I checked through the Quaranteed and Trusted Items and saw no file quaranteened but the presence of the offending file on the machine was noted under Security History at C:\documents and settings\MyAccountName\Local Settings/Temporary Internet Files\Content.IE5\0MEU2R7A\hurricanmop_com[1].htm.  I examined that file’s properties.  Compressed Item Properties Box showed “Details”:  Type-HTML Document, Location-as I noted above, Original Size-2 KB, Date-05/02/2013.  “Attributes”:  SRC32-B248F044, Index-0, Compression-Deflated, Packed Size-1 KB.  I tried to delete the file manually but received a “Compressed (Zipped) Folders Error” indicating that the machine “cannot create output file.”  I also could not copy the file to another location on the machine so I could upload it to McAfee and VirusTotal for evaluation.  Any action involving the file apparently requires a password.  After my failed attempt to delete the file I used the Windows System Restore to go back to a Restore Point created 05/01/2013.  After the process completed, McAfee updated itself.  I ran Virtual Technician and got “No problems found.”  However, the offending file was still listed under Security History and still resided on the machine.

       

      I checked for new and suspicious applications on Control Panel and found none.  I checked the registry for occurrences of the string “hurrican” and found none.  I checked the Services and Startup entries under System Configuration in Windows and found nothing new or suspicious.  I ran a full McAfee scan and a full Microsoft Safety Scan (that took seven hours to complete) and both were clean.  I did an Internet search of people experiencing a similar situation and only found one:  http://www.theforumsite.com/forum/topic/Technical-problems-which-keep-me-away/46 8296  That individual’s situation appears to have arisen in the same way ours did.  However, he apparently was not protected from infestation by a firewall.

       

      I have pretty much convinced myself that the file that remains on the machine has been neutralized by McAfee and won’t do any harm, even though it doesn’t appear that it can be deleted.  I would like McAfee confirmation of that though.  Also McAfee’s Site Advisor should evaluate the site in question and take note of any perceived dangers to protect other folks.  I would appreciate informed guidance.

       

      Drek 

        • 1. Re: JS/Redirector.ar Trojan Encountered at a Website
          Hayton

          McAfee has quarantined the file so you're probably safe enough. You can't see it listed under Quarantined Items? Or under Quarantined PUPs? That's unusual.

           

          Some of McAfee's corporate customers are getting large numbers of detections of this redirector and are wondering if the detection is a false positive. I'm waiting to see whether anyone from McAfee posts in that thread. Certainly Microsoft recognise this javascript redirector as a piece of malware, and accurately state where to look for the infected file.

           

          I suggest you run a full scan with Malwarebytes Free and see whether it detects anything. Malwarebytes has a utility (File Assassin) which will get rid of locked files, which might be useful here.

           

          The website you mention is free of malware - I checked with many different tools. But most of that webpage is content downloaded from another site, internationaledge-dot-com, which links to telebrands-dot-com; and with data being passed down the chain there are many places where something could be inserted to compromise the page at hurricanemop-dot-com - although I found nothing for either of those data providers. Mind you, AdBlock and NoScript together stopped anything except placeholders being displayed. You might want to consider using those in your browser, if they're available.

           

          The one significant warning I found was for the Hosting Provider (GoDaddy, as far as I can make out), and that was only on one of the testing sites (http://www.abuseipdb.com/check/64.71.148.67)

          1 of 1 people found this helpful
          • 2. Re: JS/Redirector.ar Trojan Encountered at a Website
            drekmonger

            Thank you, Hayden.  No, there was no listing of the file under McAfee Quaranteened Items or PUPs and that is a first in my experience.  Does it appear to you that the password protected and zipped file was created by McAfee to neutralize the file in question?

             

            On one of my Windows 7 machines I uninstalled Mcafee, installed MBAM Free and ran it successfully.  However, when I uninstalled MBAM and ran its cleanup tool afterward in preparation for re-installing McAfee, it gave me the Blue Screen of Death and my operating system was damaged.  I ultimately had to restore the machine to factory specifications and reinstall all the software and settings.  Although the machine that encountered the JS/Redirector.ar Trojay is running XP, I have made the executive decision to steer clear of the MBAM application.  Perhaps I could install and run Spybot S&D instead?  As I mentioned Microsoft Safety Scanner showed no infection.

             

            I am surprised you found no issues at the website in question.  I don't know anything about AdBlock or NoScript but will do some research.

             

            Drek