gringo
Intermittent google search redirect [Solved]
Started by
wemogil
, Feb 01 2013 09:46 PM
#16
Posted 05 February 2013 - 07:38 AM
gringo
#17
Posted 05 February 2013 - 03:43 PM
Unfortunately, I got another redirect today. This one took me to:
http://sell-real.com...nt acquisition"
http://sell-real.com...nt acquisition"
#18
Posted 05 February 2013 - 07:42 PM
the one redirect could it have been the webpage?
in what browser were you using?
did it happen anymore?
in what browser were you using?
did it happen anymore?
#19
Posted 05 February 2013 - 08:40 PM
I don't see how it could be the page. What happens is I use Google, and it gives me a list of results. When I click on one of the results, it takes me not to the URL previewed on the Google results page, but to the sell-real.com site, or one like it. It's not the first time sell-real has popped up. If I go back to the Google results page and click a second time on the same result, I am taken to the correct, listed URL. Third, fourth, fifth time, it's always works correctly, it's only the first time I get the bad result, and not very often.
I am pretty sure the source of the infection is an email masquerading as a Fedex package notice that I received on 12/26/12 from [email protected]. It had a link to a bogus "postal receipt" that I stupidly opened. After I realized what it was, I tried rolling back my computer to an earlier restore point, but I think it was too late.
The clickable URL in the email is:
www.missionrelief.org/VCOBMISDHE.php?php=receipt
I am pretty sure the source of the infection is an email masquerading as a Fedex package notice that I received on 12/26/12 from [email protected]. It had a link to a bogus "postal receipt" that I stupidly opened. After I realized what it was, I tried rolling back my computer to an earlier restore point, but I think it was too late.
The clickable URL in the email is:
www.missionrelief.org/VCOBMISDHE.php?php=receipt
#20
Posted 05 February 2013 - 08:44 PM
Greetings
I want you to run these next,
Please download the latest version of TDSSKiller from here and save it to your Desktop.
Please download aswMBR to your desktop.
If you have any problems running either one come back and let me know
please reply with the reports from TDSSKiller and aswMBR
Gringo
I want you to run these next,
Please download the latest version of TDSSKiller from here and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
- Put a checkmark beside loaded modules.
- A reboot will be needed to apply the changes. Do it.
- TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
- Then click on Change parameters in TDSSKiller.
- Check all boxes then click OK.
- Click the Start Scan button.
- The scan should take no longer than 2 minutes.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
- If malicious objects are found, they will show in the Scan results
- Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed. - A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please download aswMBR to your desktop.
- Double click the aswMBR.exe icon to run it
- it will ask to download extra definitions - ALLOW IT
- Click the Scan button to start the scan
- On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
If you have any problems running either one come back and let me know
please reply with the reports from TDSSKiller and aswMBR
Gringo
#21
Posted 05 February 2013 - 09:30 PM
Ok here's the results. I saved the aswMBR before the scan was over because I didn't realize it was still running, then saved it again when it finished, which I think is why the results are listed twice.
18:47:23.0668 7148 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
18:47:24.0178 7148 ============================================================
18:47:24.0178 7148 Current date / time: 2013/02/05 18:47:24.0178
18:47:24.0178 7148 SystemInfo:
18:47:24.0178 7148
18:47:24.0178 7148 OS Version: 6.1.7601 ServicePack: 1.0
18:47:24.0178 7148 Product type: Workstation
18:47:24.0178 7148 ComputerName: WAYNE-PC
18:47:24.0178 7148 UserName: Wayne
18:47:24.0178 7148 Windows directory: C:\Windows
18:47:24.0178 7148 System windows directory: C:\Windows
18:47:24.0178 7148 Running under WOW64
18:47:24.0179 7148 Processor architecture: Intel x64
18:47:24.0179 7148 Number of processors: 8
18:47:24.0179 7148 Page size: 0x1000
18:47:24.0179 7148 Boot type: Normal boot
18:47:24.0179 7148 ============================================================
18:47:25.0404 7148 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
18:47:25.0408 7148 ============================================================
18:47:25.0408 7148 \Device\Harddisk0\DR0:
18:47:25.0408 7148 MBR partitions:
18:47:25.0408 7148 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
18:47:25.0408 7148 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D4000
18:47:25.0408 7148 ============================================================
18:47:25.0432 7148 C: <-> \Device\Harddisk0\DR0\Partition2
18:47:25.0432 7148 ============================================================
18:47:25.0433 7148 Initialize success
18:47:25.0433 7148 ============================================================
18:48:30.0551 5464 Deinitialize success
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 18:58:12
-----------------------------
18:58:12.159 OS Version: Windows x64 6.1.7601 Service Pack 1
18:58:12.159 Number of processors: 8 586 0x1A04
18:58:12.160 ComputerName: WAYNE-PC UserName: Wayne
18:58:13.251 Initialize success
18:59:18.542 AVAST engine defs: 13020501
18:59:28.040 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-6
18:59:28.041 Disk 0 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
18:59:28.052 Disk 0 MBR read successfully
18:59:28.053 Disk 0 MBR scan
18:59:28.056 Disk 0 Windows 7 default MBR code
18:59:28.059 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:59:28.062 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953768 MB offset 206848
18:59:28.073 Disk 0 scanning C:\Windows\system32\drivers
18:59:34.080 Service scanning
18:59:47.608 Modules scanning
18:59:47.613 Disk 0 trace - called modules:
18:59:47.625 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:59:47.628 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dca790]
18:59:47.631 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8007cfab50]
18:59:47.635 5 vsflt53.sys[fffff8800105bcfd] -> nt!IofCallDriver -> [0xfffffa8007b7de40]
18:59:47.638 7 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T1L0-6[0xfffffa8007bb3060]
18:59:49.406 AVAST engine scan C:\Windows
18:59:52.095 AVAST engine scan C:\Windows\system32
19:02:28.035 AVAST engine scan C:\Windows\system32\drivers
19:02:35.765 AVAST engine scan C:\Users\Wayne
19:03:35.368 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:03:35.369 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 18:58:12
-----------------------------
18:58:12.159 OS Version: Windows x64 6.1.7601 Service Pack 1
18:58:12.159 Number of processors: 8 586 0x1A04
18:58:12.160 ComputerName: WAYNE-PC UserName: Wayne
18:58:13.251 Initialize success
18:59:18.542 AVAST engine defs: 13020501
18:59:28.040 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-6
18:59:28.041 Disk 0 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
18:59:28.052 Disk 0 MBR read successfully
18:59:28.053 Disk 0 MBR scan
18:59:28.056 Disk 0 Windows 7 default MBR code
18:59:28.059 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:59:28.062 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953768 MB offset 206848
18:59:28.073 Disk 0 scanning C:\Windows\system32\drivers
18:59:34.080 Service scanning
18:59:47.608 Modules scanning
18:59:47.613 Disk 0 trace - called modules:
18:59:47.625 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:59:47.628 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dca790]
18:59:47.631 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8007cfab50]
18:59:47.635 5 vsflt53.sys[fffff8800105bcfd] -> nt!IofCallDriver -> [0xfffffa8007b7de40]
18:59:47.638 7 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T1L0-6[0xfffffa8007bb3060]
18:59:49.406 AVAST engine scan C:\Windows
18:59:52.095 AVAST engine scan C:\Windows\system32
19:02:28.035 AVAST engine scan C:\Windows\system32\drivers
19:02:35.765 AVAST engine scan C:\Users\Wayne
19:03:35.368 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:03:35.369 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
19:16:22.929 AVAST engine scan C:\ProgramData
19:18:33.573 Scan finished successfully
19:21:12.458 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:21:12.495 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
18:47:23.0668 7148 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
18:47:24.0178 7148 ============================================================
18:47:24.0178 7148 Current date / time: 2013/02/05 18:47:24.0178
18:47:24.0178 7148 SystemInfo:
18:47:24.0178 7148
18:47:24.0178 7148 OS Version: 6.1.7601 ServicePack: 1.0
18:47:24.0178 7148 Product type: Workstation
18:47:24.0178 7148 ComputerName: WAYNE-PC
18:47:24.0178 7148 UserName: Wayne
18:47:24.0178 7148 Windows directory: C:\Windows
18:47:24.0178 7148 System windows directory: C:\Windows
18:47:24.0178 7148 Running under WOW64
18:47:24.0179 7148 Processor architecture: Intel x64
18:47:24.0179 7148 Number of processors: 8
18:47:24.0179 7148 Page size: 0x1000
18:47:24.0179 7148 Boot type: Normal boot
18:47:24.0179 7148 ============================================================
18:47:25.0404 7148 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
18:47:25.0408 7148 ============================================================
18:47:25.0408 7148 \Device\Harddisk0\DR0:
18:47:25.0408 7148 MBR partitions:
18:47:25.0408 7148 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
18:47:25.0408 7148 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D4000
18:47:25.0408 7148 ============================================================
18:47:25.0432 7148 C: <-> \Device\Harddisk0\DR0\Partition2
18:47:25.0432 7148 ============================================================
18:47:25.0433 7148 Initialize success
18:47:25.0433 7148 ============================================================
18:48:30.0551 5464 Deinitialize success
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 18:58:12
-----------------------------
18:58:12.159 OS Version: Windows x64 6.1.7601 Service Pack 1
18:58:12.159 Number of processors: 8 586 0x1A04
18:58:12.160 ComputerName: WAYNE-PC UserName: Wayne
18:58:13.251 Initialize success
18:59:18.542 AVAST engine defs: 13020501
18:59:28.040 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-6
18:59:28.041 Disk 0 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
18:59:28.052 Disk 0 MBR read successfully
18:59:28.053 Disk 0 MBR scan
18:59:28.056 Disk 0 Windows 7 default MBR code
18:59:28.059 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:59:28.062 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953768 MB offset 206848
18:59:28.073 Disk 0 scanning C:\Windows\system32\drivers
18:59:34.080 Service scanning
18:59:47.608 Modules scanning
18:59:47.613 Disk 0 trace - called modules:
18:59:47.625 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:59:47.628 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dca790]
18:59:47.631 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8007cfab50]
18:59:47.635 5 vsflt53.sys[fffff8800105bcfd] -> nt!IofCallDriver -> [0xfffffa8007b7de40]
18:59:47.638 7 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T1L0-6[0xfffffa8007bb3060]
18:59:49.406 AVAST engine scan C:\Windows
18:59:52.095 AVAST engine scan C:\Windows\system32
19:02:28.035 AVAST engine scan C:\Windows\system32\drivers
19:02:35.765 AVAST engine scan C:\Users\Wayne
19:03:35.368 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:03:35.369 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 18:58:12
-----------------------------
18:58:12.159 OS Version: Windows x64 6.1.7601 Service Pack 1
18:58:12.159 Number of processors: 8 586 0x1A04
18:58:12.160 ComputerName: WAYNE-PC UserName: Wayne
18:58:13.251 Initialize success
18:59:18.542 AVAST engine defs: 13020501
18:59:28.040 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-6
18:59:28.041 Disk 0 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
18:59:28.052 Disk 0 MBR read successfully
18:59:28.053 Disk 0 MBR scan
18:59:28.056 Disk 0 Windows 7 default MBR code
18:59:28.059 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:59:28.062 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953768 MB offset 206848
18:59:28.073 Disk 0 scanning C:\Windows\system32\drivers
18:59:34.080 Service scanning
18:59:47.608 Modules scanning
18:59:47.613 Disk 0 trace - called modules:
18:59:47.625 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:59:47.628 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dca790]
18:59:47.631 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8007cfab50]
18:59:47.635 5 vsflt53.sys[fffff8800105bcfd] -> nt!IofCallDriver -> [0xfffffa8007b7de40]
18:59:47.638 7 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T1L0-6[0xfffffa8007bb3060]
18:59:49.406 AVAST engine scan C:\Windows
18:59:52.095 AVAST engine scan C:\Windows\system32
19:02:28.035 AVAST engine scan C:\Windows\system32\drivers
19:02:35.765 AVAST engine scan C:\Users\Wayne
19:03:35.368 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:03:35.369 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
19:16:22.929 AVAST engine scan C:\ProgramData
19:18:33.573 Scan finished successfully
19:21:12.458 Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
19:21:12.495 The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"
#22
Posted 05 February 2013 - 09:41 PM
Hello
I would like you to run this new tool and see if it finds anything.
Malwarebytes Anti-Rootkit
1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
•Internet access
•Windows Update
•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.
Gringo
I would like you to run this new tool and see if it finds anything.
Malwarebytes Anti-Rootkit
1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
•Internet access
•Windows Update
•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.
Gringo
#23
Posted 05 February 2013 - 11:44 PM
Malwarebytes Anti-rootkit did not find anything, said I was clean and did not ask for a reboot. Everything seems to be working normally...
#24
Posted 05 February 2013 - 11:50 PM
right now there is no redirects?
gringo
gringo
#25
Posted 06 February 2013 - 01:05 AM
Hard for me to know yet, because it's so hard to replicate--it will do it once, and then I will try repeatedly to make it do it again and it won't. Then the next day, the same thing. Like they programmed it not to be obnoxious enough that a person has no choice but to do something, and it can instead just sit there doing it's thing for a long, long time. Was the virus file I sent you a link to familiar? Have you seen this one or one like it before?
Please keep the thread open and I'll report results back for the next couple of days. Once again, thanks very much.
Wayne
Please keep the thread open and I'll report results back for the next couple of days. Once again, thanks very much.
Wayne
#26
Posted 06 February 2013 - 01:11 AM
I have not been able to check out the link yet
of course it will be open for a couple of days
of course it will be open for a couple of days
#27
Posted 07 February 2013 - 11:01 AM
Got another redirect today to the same cheap, alternate search engine:
http://sell-real.com...ern california"
http://sell-real.com...ern california"
#28
Posted 07 February 2013 - 11:04 AM
in which browser did it happen?
#29
Posted 07 February 2013 - 11:06 AM
I notice also that the link on the sell-real site goes here:
http://www.theclickc...C9kaXJlY3QvMDEv
And while I can't find anything about viruses and sell-real on the web, there is a lot of info about the click check virus that I'm reading through now myself.
http://www.theclickc...C9kaXJlY3QvMDEv
And while I can't find anything about viruses and sell-real on the web, there is a lot of info about the click check virus that I'm reading through now myself.
#30
Posted 07 February 2013 - 11:15 AM
This is exactly what I have:
http://www.spywarere...irectVirus.html
Except the redirects are so sporadic, people are surely tempted to ignore it rather than take action to remove it.
http://www.spywarere...irectVirus.html
Except the redirects are so sporadic, people are surely tempted to ignore it rather than take action to remove it.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users