Jump to content
Sign in to follow this  
elsakurien85

Redirection of search results by googleadscentral.com

Recommended Posts

It seems that some malware/virus is dynamically modifying my Google search results in Firefox & IE but not in Chrome.

For eg In Chrome the search results for "malware" contain

Jotti's malware scan

Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files.

virusscan.jotti.org/ - Cached - Similar

McAfee Threat Center

Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ...

www.mcafee.com/us/threat_center/default.asp - Cached - Similar

while in IE & Firefox they appear as

Jotti's malware scan

Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files.

spytds.com/ - Cached - Similar

McAfee Threat Center

Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ...

trafgo.biz/ - Cached - Similar

After some troubleshooting I see that the browser makes http requests to googleadscentral.com and receives malicious javascript which is used to replace search results. The http capture is attached.

Would you have any suggestions on how to track down and remove this nuisance?

Thanks

httpcapture.txt

Share this post


Link to post
Share on other sites

It seems that some malware/virus is dynamically modifying my Google search results in Firefox & IE but not in Chrome.

For eg In Chrome the search results for "malware" contain

Jotti's malware scan

Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files.

virusscan.jotti.org/ - Cached - Similar

McAfee Threat Center

Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ...

www.mcafee.com/us/threat_center/default.asp - Cached - Similar

while in IE & Firefox they appear as

Jotti's malware scan

Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files.

spytds.com/ - Cached - Similar

McAfee Threat Center

Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ...

trafgo.biz/ - Cached - Similar

After some troubleshooting I see that the browser makes http requests to googleadscentral.com and receives malicious javascript which is used to replace search results. The http capture is attached.

Would you have any suggestions on how to track down and remove this nuisance?

Thanks

try going in to safe mode and do a full scan with both superantispyware and malwarebytes

my forum http://pchelpp.prophpbb.com/

Share this post


Link to post
Share on other sites

The last time that happened on my end I traced it down to the TDSS Rootkit

Some sites call it TDL - I'm pretty sure that's what Mbam found it as.

Everytime it removed it, it didn't - it was back within hours or days.

I finally found a free Tdss rootkit remover that Kaspersky had released.

I can't say with any certainty this is also what you have, but I thought I'd offer the info - just in case.

Share this post


Link to post
Share on other sites

Thanks for the suggestion.

I tried TDSS rootkit removing tool from Kaspersky Lab but it did not report any infection. However it led me to gmer and mbr.exe.

gmer reported "rootkit-like behavior" in multiple sectors eg

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

When I used the "copy" context menu on the reported item in gmer and saved it to a file on the hard disk Microsoft Security Essentials indentified it as Trojan:DOS/Sinowal.M

I then ran "mbr.exe -f" but that did not resolve all of them. Then as instructed by mbr.exe I used Windows XP Recovery Console and fixmbr.exe to remove the remaining infections.

Now firefox is running faster and I dont seem to have infected search results. I shall keep watching before I assure myself that the malware is gone for good.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×