Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Intermittent google search redirect [Solved]


  • This topic is locked This topic is locked

#16
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
you are more than welcome



gringo
  • 0

Advertisements


#17
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Unfortunately, I got another redirect today. This one took me to:

http://sell-real.com...nt acquisition"
  • 0

#18
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
the one redirect could it have been the webpage?

in what browser were you using?

did it happen anymore?
  • 0

#19
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I don't see how it could be the page. What happens is I use Google, and it gives me a list of results. When I click on one of the results, it takes me not to the URL previewed on the Google results page, but to the sell-real.com site, or one like it. It's not the first time sell-real has popped up. If I go back to the Google results page and click a second time on the same result, I am taken to the correct, listed URL. Third, fourth, fifth time, it's always works correctly, it's only the first time I get the bad result, and not very often.

I am pretty sure the source of the infection is an email masquerading as a Fedex package notice that I received on 12/26/12 from [email protected] It had a link to a bogus "postal receipt" that I stupidly opened. After I realized what it was, I tried rolling back my computer to an earlier restore point, but I think it was too late.

The clickable URL in the email is:


www.missionrelief.org/VCOBMISDHE.php?php=receipt
  • 0

#20
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

I want you to run these next,

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
  • 0

#21
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Ok here's the results. I saved the aswMBR before the scan was over because I didn't realize it was still running, then saved it again when it finished, which I think is why the results are listed twice.




18:47:23.0668 7148 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
18:47:24.0178 7148 ============================================================
18:47:24.0178 7148 Current date / time: 2013/02/05 18:47:24.0178
18:47:24.0178 7148 SystemInfo:
18:47:24.0178 7148
18:47:24.0178 7148 OS Version: 6.1.7601 ServicePack: 1.0
18:47:24.0178 7148 Product type: Workstation
18:47:24.0178 7148 ComputerName: WAYNE-PC
18:47:24.0178 7148 UserName: Wayne
18:47:24.0178 7148 Windows directory: C:\Windows
18:47:24.0178 7148 System windows directory: C:\Windows
18:47:24.0178 7148 Running under WOW64
18:47:24.0179 7148 Processor architecture: Intel x64
18:47:24.0179 7148 Number of processors: 8
18:47:24.0179 7148 Page size: 0x1000
18:47:24.0179 7148 Boot type: Normal boot
18:47:24.0179 7148 ============================================================
18:47:25.0404 7148 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
18:47:25.0408 7148 ============================================================
18:47:25.0408 7148 \Device\Harddisk0\DR0:
18:47:25.0408 7148 MBR partitions:
18:47:25.0408 7148 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
18:47:25.0408 7148 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D4000
18:47:25.0408 7148 ============================================================
18:47:25.0432 7148 C: <-> \Device\Harddisk0\DR0\Partition2
18:47:25.0432 7148 ============================================================
18:47:25.0433 7148 Initialize success
18:47:25.0433 7148 ============================================================
18:48:30.0551 5464 Deinitialize success





aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 18:58:12
-----------------------------
18:58:12.159 OS Version: Windows x64 6.1.7601 Service Pack 1
18:58:12.159 Number of processors: 8 586 0x1A04
18:58:12.160 ComputerName: WAYNE-PC UserName: Wayne
18:58:13.251 Initialize success
18:59:18.542 AVAST engine defs: 13020501
18:59:28.040 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-6
18:59:28.041 Disk 0 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
18:59:28.052 Disk 0 MBR read successfully
18:59:28.053 Disk 0 MBR scan
18:59:28.056 Disk 0 Windows 7 default MBR code
18:59:28.059 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:59:28.062 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953768 MB offset 206848
18:59:28.073 Disk 0 scanning C:\Windows\system32\drivers
18:59:34.080 Service scanning
18:59:47.608 Modules scanning
18:59:47.613 Disk 0 trace - called modules:
18:59:47.625 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:59:47.628 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dca790]
18:59:47.631 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8007cfab50]
18:59:47.635 5 vsflt53.sys[fffff8800105bcfd] -> nt!IofCallDriver -> [0xfffffa8007b7de40]
18:59:47.638 7 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T1L0-6[0xfffffa8007bb3060]
18:59:49.406 AVAST engine scan C:\Windows
18:59:52.095 AVAST engine scan C:\Windows\system32
19:02:28.035 AVAST engine scan C:\Windows\system32\drivers
19:02:35.765 AVAST engine scan C:\Users\Wayne
19:03:35.368 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:03:35.369 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 18:58:12
-----------------------------
18:58:12.159 OS Version: Windows x64 6.1.7601 Service Pack 1
18:58:12.159 Number of processors: 8 586 0x1A04
18:58:12.160 ComputerName: WAYNE-PC UserName: Wayne
18:58:13.251 Initialize success
18:59:18.542 AVAST engine defs: 13020501
18:59:28.040 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-6
18:59:28.041 Disk 0 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
18:59:28.052 Disk 0 MBR read successfully
18:59:28.053 Disk 0 MBR scan
18:59:28.056 Disk 0 Windows 7 default MBR code
18:59:28.059 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:59:28.062 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953768 MB offset 206848
18:59:28.073 Disk 0 scanning C:\Windows\system32\drivers
18:59:34.080 Service scanning
18:59:47.608 Modules scanning
18:59:47.613 Disk 0 trace - called modules:
18:59:47.625 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:59:47.628 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dca790]
18:59:47.631 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8007cfab50]
18:59:47.635 5 vsflt53.sys[fffff8800105bcfd] -> nt!IofCallDriver -> [0xfffffa8007b7de40]
18:59:47.638 7 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T1L0-6[0xfffffa8007bb3060]
18:59:49.406 AVAST engine scan C:\Windows
18:59:52.095 AVAST engine scan C:\Windows\system32
19:02:28.035 AVAST engine scan C:\Windows\system32\drivers
19:02:35.765 AVAST engine scan C:\Users\Wayne
19:03:35.368 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:03:35.369 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
19:16:22.929 AVAST engine scan C:\ProgramData
19:18:33.573 Scan finished successfully
19:21:12.458 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:21:12.495 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
  • 0

#22
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

I would like you to run this new tool and see if it finds anything.

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
•Internet access
•Windows Update
•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

Gringo
  • 0

#23
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Malwarebytes Anti-rootkit did not find anything, said I was clean and did not ask for a reboot. Everything seems to be working normally...
  • 0

#24
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
right now there is no redirects?


gringo
  • 0

#25
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hard for me to know yet, because it's so hard to replicate--it will do it once, and then I will try repeatedly to make it do it again and it won't. Then the next day, the same thing. Like they programmed it not to be obnoxious enough that a person has no choice but to do something, and it can instead just sit there doing it's thing for a long, long time. Was the virus file I sent you a link to familiar? Have you seen this one or one like it before?

Please keep the thread open and I'll report results back for the next couple of days. Once again, thanks very much.

Wayne
  • 0

Advertisements


#26
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
I have not been able to check out the link yet


of course it will be open for a couple of days
  • 0

#27
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Got another redirect today to the same cheap, alternate search engine:

http://sell-real.com...ern california"
  • 0

#28
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
in which browser did it happen?
  • 0

#29
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I notice also that the link on the sell-real site goes here:

http://www.theclickc...C9kaXJlY3QvMDEv

And while I can't find anything about viruses and sell-real on the web, there is a lot of info about the click check virus that I'm reading through now myself.
  • 0

#30
wemogil

wemogil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
This is exactly what I have:

http://www.spywarere...irectVirus.html

Except the redirects are so sporadic, people are surely tempted to ignore it rather than take action to remove it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP