problems with google redirecting in IE

[Guest]

Hello. I have had problems accessing google in IE 6. When I type
"www.google.com" I am redirected to www.msn.com. This does not happen in
Firefox. I exphasize that I have noticed no other redirections or problems in
either browser. I'm using IE v 6.0.2900.2180.xpsp_sp2_rtm.(some numbers).

First I spoke with comcast, my ISP -- we determined the following:

1. Their DNS servers were correct (when I pinged www.google.com and used the
resulting actual IP address in IE's address bar it worked fine).

2. I have no host files on my system.

3. I flushed the DNS cache.

4. I killed all my cookies and temp files.

5. I have run adaware and eliminated everything it found.

6. I have run avast antivirus and found no viruses.

7. I have downloaded and run the Qhosts trojan removal tool and did not find
Qhosts on my system.

They directed me to my OEM. My OEM (Dell) and I established that it wasn't a
hardware problem. If I type "http://www.google.com/" then I can access
google. If I type "google" and then Control+Enter, I can access google. If I
type "google" and hit Enter, msn searches for google and I can click through
to Google. But "www.google.com" will take me to www.msn.com.

Bizarre.

Any ideas? I'd appreciate fixing this or knowing if it is a problem with
google and/or Microsoft's IE.

Thank you kindly,
Elliott Yates.

 

[Jim Byrd]

Hi Elliott - Download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your default Search functionality and reset your prefixes. You'll have to
manually re-select any Search Customizations you may have had, however.

 

[Guest]

Jim,

I ran that registry patch and immediately (without closing IE or rebooting)
typed www.google.com in the address bar -- it is still loading www.msn.com
instead. Any other ideas?

Thanks!

 

[Michael T]

If all the above fails, then the problem could be something new that the
spyware cleaners above don't have in their databases yet. In that case....

HijackThis direct download:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Tutorial on how to use HijackThis:
http://www.spywareinfo.com/~merijn/htlogtutorial.html
Then post it's output log to the forum here for analysis and feedback by the
parasite experts:
http://www.spywareinfo.com/forums/
Or the other HijackThis Logs forums listed here:
http://www.spywareinfo.com/~merijn/forums.html

 

[Jim Byrd]

Hi Elliot - Try closing all instances of IE, then running that fix. See
what happens then.

 

[Guest]

Michael,

Thanks for the reply. I ran the Hijackthis version from the link you
supplied, and here is the log file (I didn't change any configuration
options, just ran it straight off and saved the log file). I haven't noticed
anything that looks unusual based on the webpage you provide for
interpretation -- any more ideas? Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 3:29:50 PM, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\YATESF~1\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.mail.umn.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
/SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
/IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
/minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -
http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -
http://online.comcast.net/help/ (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
- {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112896355986
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe

 

[Guest]

OK, tried that too, but to no avail. Still the same -- when I type
"www.google.com" the status bar says "Opening http://www.msn.com/..." and
that's where it goes.

Elliott.

 

[Michael T]

Michael,

Thanks for the reply. I ran the Hijackthis version from the link you
supplied, and here is the log file (I didn't change any configuration
options, just ran it straight off and saved the log file).

I am no expert when it comes to these HijackThis log files. I agree that
nothing looks suspect. But as I mentioned in my previous post you may want
to post your output log to the forum here for analysis and feedback by the
parasite experts:
http://www.spywareinfo.com/forums/
Or the other HijackThis Logs forums listed here:
http://www.spywareinfo.com/~merijn/forums.html

Also, I would install the CWShredder (zip file) to get some of the most
nasty malware:
The CWShredder direct download is at :
http://aumha.org/downloads/cwshredder.zip

Once you unzip the file and launch cwshredder.exe, simply click the FIX
button.

 

[Sandi - Microsoft MVP]

When you say you have no hosts file, do you have the option to view all
hidden files enabled? If not, you won't be able to see the HOSTS files.
There should be, at least, sample hosts files on your system.

Also, what did AdAware remove? If only cookies, they were not implicated in
your problem. If something more sinister, we need details of exactly what
was removed so that we can trace back the changes which were made by the
malware and make sure they were properly reversed.

Comcast's DNS servers *have* been having problems recently, although the
fact that the ping's resultant IP address works tends to rule that out.

Because you are trying to access www.google.com without the HTTP prefix, IE
may not be operating properly there, and automatic search from addressbar
may be misdirecting - what search service have you set IE to use, both in
the search pane and for search from addressbar. Try disabling 'search from
addressbar' in IE's advanced options, then see what happens when you try to
go to www.google.com. Post back the results.

If there is a problem in the registry affecting HTTP, and/or autosearch is
causing weird issues, you should get a 'page cannot be displayed' error.

Please check your registry settings at this URL:
http://inetexplorer.mvps.org/answers_8.htm#extension

--

__________________________________________
Hyperlinks used to ensure advice is current
Sandi - Microsoft MVP since 1999
http://inetexplorer.mvps.org

Visit the Internet Explorer Community
http://www.microsoft.com/windows/ie/community/default.mspx