OT:Google hijack

[Doum]

Sorry, I'm aware it's not exactly the right group but if you can guide me
in the right direction.

When I do a search in Google and I click on a result, I'm redirected to all
sort of pages that have nothing to do with my search.

I did a scan with ZoneAlarm Security suite, SuperAntispyware Pro and
Malwarebytes. Malwarebytes found one infected file and remove it but it
wasn't related with the Google problem.

Any idea.

This time, Google is NOT my friend.

TIA

 

[Nil]

When I do a search in Google and I click on a result, I'm
redirected to all sort of pages that have nothing to do with my
search.

I did a scan with ZoneAlarm Security suite, SuperAntispyware Pro
and Malwarebytes. Malwarebytes found one infected file and remove
it but it wasn't related with the Google problem.

Check your hosts file (usually c:\windows\system32\etc\hosts).

You may find that Google and maybe other sites are redirected to
another, bogus address. If so, make a backup copy of the file and edit
out everything other than the one line:

127.0.0.1 localhost

 

[Paul]

Sorry, I'm aware it's not exactly the right group but if you can guide me
in the right direction.

When I do a search in Google and I click on a result, I'm redirected to all
sort of pages that have nothing to do with my search.

I did a scan with ZoneAlarm Security suite, SuperAntispyware Pro and
Malwarebytes. Malwarebytes found one infected file and remove it but it
wasn't related with the Google problem.

Any idea.

This time, Google is NOT my friend.

TIA

You could always use a Linux LiveCD, such as Ubuntu, to be able to boot your
computer and do some searches on Google

A possibility is TDSS/Alureon, which is a root kit. In the following article,
the OP used tdsskiller, but I don't know whether that is a complete solution,
or only manages to stop enough of it, so that other tools can finish the job.

http://groups.google.ca/group/alt.comp.freeware/msg/33da1c2aafd6f61b?dmode=source

http://www2.gmer.net/rootkits.php

http://www.gmer.net/#news

Another method, is to hijack the translation of internet addresses.
It means forwarding attempts to translate an address, to a server
the malware people run. You could run Wireshark, and watch where the
traffic is going. (As "Nil" indicated, the local "hosts" file also
does these translations, on a local level. "hosts" is used to override
network based translation.)

http://en.wikipedia.org/wiki/Wireshark

If you want a clean way of translating an IP address, you'd use a site
like this. If you collect numeric addresses with Wireshark, you probably
could not trust any translation of those addresses with your own computer
(via command prompt and nslookup). I use this site sometimes, to compare
the translations my computer is doing, with the translations this server
can see where it is located.

http://www.zoneedit.com/lookup.html

Paul

 

[Doum]

Check your hosts file (usually c:\windows\system32\etc\hosts).

You may find that Google and maybe other sites are redirected to
another, bogus address. If so, make a backup copy of the file and edit
out everything other than the one line:

127.0.0.1 localhost

Thank you for the quick reply.

I tried your suggestions and rebooted but it didn't work.

FWIW, my hosts file had only the above line and some comments lines
preceeded by "#", I removed those lines but no changes in Google behavior.

 

[The poster formerly known as 'The Poster Formerly]

Sorry, I'm aware it's not exactly the right group but if you can guide me
in the right direction.

When I do a search in Google and I click on a result, I'm redirected to all
sort of pages that have nothing to do with my search.

I did a scan with ZoneAlarm Security suite, SuperAntispyware Pro and
Malwarebytes. Malwarebytes found one infected file and remove it but it
wasn't related with the Google problem.

Any idea.

This time, Google is NOT my friend.

TIA

I bet you are using IE. This browser hijack likely has nothing to do
with google. Have you tried Spybot yet? Also clear out your temp
internet folders and jars if you have java installed.

 

[Doum]

The poster formerly known as 'The Poster Formerly Known as Nina DiBoy'

I bet you are using IE. This browser hijack likely has nothing to do
with google. Have you tried Spybot yet? Also clear out your temp
internet folders and jars if you have java installed.

I never said it had something to do with Google, I said that when I click
on a Google search result link it takes me to a page not related with the
link in the search result.

I am using IE AND Firefox. The problem exists in both browsers and began
when I tried to fix a problem which was Firefox freezing when there was a
video to play.

Now FF can play videos but Google is all f****d up.

Isn't Spybot the program that detects other anti-malwares programs as
MALWARES?

I'll check out "jars" but I already cleared IE temp files and cookies, in
FF I found where to clear history but nowhere it talk about "temp" files
and I don't necessarely want to clear history. I would prefer FF because
of the way it manages downloads but it is a little too buggy and crash
prone to my taste.

 

[norm]

Sorry, I'm aware it's not exactly the right group but if you can guide me
in the right direction.

When I do a search in Google and I click on a result, I'm redirected to all
sort of pages that have nothing to do with my search.

I did a scan with ZoneAlarm Security suite, SuperAntispyware Pro and
Malwarebytes. Malwarebytes found one infected file and remove it but it
wasn't related with the Google problem.

Any idea.

This time, Google is NOT my friend.

TIA

Following the instructions on this site should help you:
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

 

[PA Bear [MS MVP]]

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now post the requested information (logs, etc.) in your own, new thread
in one (only) of the following recommended forums for assistance by an
expert in such matters. DO NOT SKIP THIS STEP!!

• SpywareHammer: Malware Removal
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0

• Spyware Warrior: Help with spyware removal
http://www.spywarewarrior.com/viewforum.php?f=5,

• DSL Reports: Security Cleanup
http://www.dslreports.com/forum/cleanup

• Bluetack: Malware Removal
http://www.bluetack.co.uk/forums/index.php?showforum=172

• AumHa: Malware Removal
http://aumha.net/viewforum.php?f=30

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[Greg Russell]

A Repair Install will NOT help!

A Kaspersky bootable Rescue CD will.

 

[Paul]

A Kaspersky bootable Rescue CD will.

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/

22 Jul 2010 13:47:12 202678272 kav_rescue_10.iso

Paul

 

[John Hacker]

Just ignore the previous message from a muppet. You will waist a lot of
time scanning your site using all that software given in the links. You
will be wise doing a clean install and start from scratch because within
an hour you will be up and running again completely clean of all viruses
and garbage planted by Microsoft.

Hope this helps.

 

[Nil]

Nil <[email protected]> écrivait


Thank you for the quick reply.

I tried your suggestions and rebooted but it didn't work.

FWIW, my hosts file had only the above line and some comments
lines preceeded by "#", I removed those lines but no changes in
Google behavior.

OK, at least that eliminates one possibility.

I should have mentioned that you could have ignored any lines preceded
by "#". They're comments that don't effect the effect of the file. You
could have left them in, but it doesn't really matter.

 

[Doum]

Just ignore the previous message from a muppet. You will waist a lot
of time scanning your site using all that software given in the links.
You will be wise doing a clean install and start from scratch because
within an hour you will be up and running again completely clean of
all viruses and garbage planted by Microsoft.

Hope this helps.

Anyway, I've been thinking about reformatting for a while now. It's been at
least 5 years since the last clean install and there has been hardware
changes on this machine (moving a high end audio interface to a newer
machine). Since a few month, OE has been slow to start but for the rest
everything has been just about OK.

That hijack is the trigger that will make me do it, but I will experiment
with regcleaner for the fun of it before doing it, I'll make my up-to-date
backup before.

Pentium4 3.0 Ghz - 2 gb RAM. Mostly internet and word processing.

 

[Peter Taylor]

Since a few month, OE has been slow to start

How big are your .dbx files? You should seriously consider using
Thunderbird as Outlook Express is no longer supported. Thunderbird has a
calendar add on called Lightning, a very good junk filter, real time
spell check as you type and is much easier to back up and restore. You
can get it at http://www.mozilla.com/thunderbird.

 

[Doum]

How big are your .dbx files? You should seriously consider using
Thunderbird as Outlook Express is no longer supported. Thunderbird has a
calendar add on called Lightning, a very good junk filter, real time
spell check as you type and is much easier to back up and restore. You
can get it at http://www.mozilla.com/thunderbird.

Is there a way to transfer the emails I want to keep from OE to Thunderbird
or T-bird understands dbx files as is?

TIA

 

[Doum]

The poster formerly known as 'The Poster Formerly Known as Nina DiBoy'

I bet you are using IE. This browser hijack likely has nothing to do
with google. Have you tried Spybot yet? Also clear out your temp
internet folders and jars if you have java installed.

Spybot didn't fix this problem.

 

[Peter]

Is there a way to transfer the emails I want to keep from OE to Thunderbird
or T-bird understands dbx files as is?

TIA

The easy way would be to install T-Bird now and import the OE files. You
will be given that option when you first install T-Bird. Once done, go
into the Moziila Thunderbird folder under Documents and Settings/User
Name/Application Data/Thunderbird and copy everything in the folder to a
pen drive. Once you reinstall XP, install T-Bird and open it and cancel
it when it asks you to import or configure an email or news account.
Copy what you have on the pen drive and paste it into the Thunderbird
folder under Documents and Settings/User Name/Application
Data/Thunderbird after deleting what the new install of T-Bird created
when you opened it and your T-Bird will be exactly the way it was before
the XP reinstall, including passwords Look around in the preferences
and elect to use Spam Assassin for the Junk Filter. T-Bird is a bit
different than OE but it's pretty easy to make the switch. I have a
short cut to Documents and Settings/User Name/Application
Data/Thunderbird on my desktop so I can easily back it up every day.

For a more detailed explanation, see:

http://kb.mozillazine.org/Import_from_Outlook_Express

You'll find some other useful links for using T-Bird at the above link
as well.

 

[Doum]

The easy way would be to install T-Bird now and import the OE files.
You will be given that option when you first install T-Bird. Once
done, go into the Moziila Thunderbird folder under Documents and
Settings/User Name/Application Data/Thunderbird and copy everything in
the folder to a pen drive. Once you reinstall XP, install T-Bird and
open it and cancel it when it asks you to import or configure an email
or news account. Copy what you have on the pen drive and paste it into
the Thunderbird folder under Documents and Settings/User
Name/Application Data/Thunderbird after deleting what the new install
of T-Bird created when you opened it and your T-Bird will be exactly
the way it was before the XP reinstall, including passwords Look
around in the preferences and elect to use Spam Assassin for the Junk
Filter. T-Bird is a bit different than OE but it's pretty easy to make
the switch. I have a short cut to Documents and Settings/User
Name/Application Data/Thunderbird on my desktop so I can easily back
it up every day.

For a more detailed explanation, see:

http://kb.mozillazine.org/Import_from_Outlook_Express

You'll find some other useful links for using T-Bird at the above link
as well.

TY

 

[Peter Taylor]

TY

YW

 

[Paul]

Just ignore the previous message from a muppet. You will waist a lot of
time scanning your site using all that software given in the links. You
will be wise doing a clean install and start from scratch because within
an hour you will be up and running again completely clean of all viruses
and garbage planted by Microsoft.

Hope this helps.

But the scan will tell you what it was.

And then you can reinstall.

If you know what it was, maybe you can figure out where it
came from, or how you got it. And avoid getting it again ?

Paul