elsakurien85 Posted April 6, 2010 It seems that some malware/virus is dynamically modifying my Google search results in Firefox & IE but not in Chrome. For eg In Chrome the search results for "malware" contain Jotti's malware scan Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files. virusscan.jotti.org/ - Cached - Similar McAfee Threat Center Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ... www.mcafee.com/us/threat_center/default.asp - Cached - Similar while in IE & Firefox they appear as Jotti's malware scan Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files. spytds.com/ - Cached - Similar McAfee Threat Center Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ... trafgo.biz/ - Cached - Similar After some troubleshooting I see that the browser makes http requests to googleadscentral.com and receives malicious javascript which is used to replace search results. The http capture is attached. Would you have any suggestions on how to track down and remove this nuisance? Thanks httpcapture.txt Share this post Link to post Share on other sites
danny09411 Posted April 6, 2010 It seems that some malware/virus is dynamically modifying my Google search results in Firefox & IE but not in Chrome. For eg In Chrome the search results for "malware" contain Jotti's malware scan Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files. virusscan.jotti.org/ - Cached - Similar McAfee Threat Center Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ... www.mcafee.com/us/threat_center/default.asp - Cached - Similar while in IE & Firefox they appear as Jotti's malware scan Jotti's malware scan is a free online scan service, utilising various anti-virus programs to diagnose single files. spytds.com/ - Cached - Similar McAfee Threat Center Potentially unwanted programs (PUPs) are not considered malware. ... A high incidence of new malware that potentially can cause damage has been reported. ... trafgo.biz/ - Cached - Similar After some troubleshooting I see that the browser makes http requests to googleadscentral.com and receives malicious javascript which is used to replace search results. The http capture is attached. Would you have any suggestions on how to track down and remove this nuisance? Thanks try going in to safe mode and do a full scan with both superantispyware and malwarebytesmy forum http://pchelpp.prophpbb.com/ Share this post Link to post Share on other sites
5150 Posted April 7, 2010 The last time that happened on my end I traced it down to the TDSS Rootkit Some sites call it TDL - I'm pretty sure that's what Mbam found it as. Everytime it removed it, it didn't - it was back within hours or days. I finally found a free Tdss rootkit remover that Kaspersky had released. I can't say with any certainty this is also what you have, but I thought I'd offer the info - just in case. Share this post Link to post Share on other sites
elsakurien85 Posted April 17, 2010 Thanks for the suggestion. I tried TDSS rootkit removing tool from Kaspersky Lab but it did not report any infection. However it led me to gmer and mbr.exe. gmer reported "rootkit-like behavior" in multiple sectors eg Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior When I used the "copy" context menu on the reported item in gmer and saved it to a file on the hard disk Microsoft Security Essentials indentified it as Trojan:DOS/Sinowal.M I then ran "mbr.exe -f" but that did not resolve all of them. Then as instructed by mbr.exe I used Windows XP Recovery Console and fixmbr.exe to remove the remaining infections. Now firefox is running faster and I dont seem to have infected search results. I shall keep watching before I assure myself that the malware is gone for good. Share this post Link to post Share on other sites