Google - hijacked?

[Brizzles]

Hi.

Having issues with Google today, it keeps getting directed away from the links i choose.

If i click on Tesco, for example, if get this :

http://newserversearch.com/?q=tesco

Then directed to one of these price sites ;
Xittle.co...
blinkx.co...

Have run Adaware ( free version) full scan, but still happens.

Any advice please

Cheers.

 

[esK`]

Download and run Malwarebytes anti malware, Sounds like you have some lil bugger in the system.

 

[J.B]

Works for me, probably some nasties on your machine.

 

[tntcoder]

Could also be an issue with your DNS (use googles or OpenDNS as a solution)

But do local malware scans as suggested above first.

 

[Brizzles]

Thanks.

So far ;

Ran Adaware full scan - No luck

Downloaded,installed,updated and ran Malwarebytes full scan.

Clicked on Argos.co.ok

Was sent to http://www.bigdealfinder.co.uk



Anything else i can try ?

Cheers for the help so far

 

[$anch3z]

Change ya DNS servers to open DNS....I would'nt personally use google's DNS though

 

[mynsa]

check your hosts file for dodgy entries

id say its either your machine/browser being hijacked by malware or your dns servers being hijacked.

what happens when you lookup argos.co.uk using nslookup?

you should get:

argos.co.uk. 21600 IN A 129.35.70.106

 

[Nossmayo]

Oddly enough, something very similar has been happening to me all day here at work too!!

Ive run Malwarebytes which has detected a couple of threats, so ive deleted those. Hopefully that should be it gone.

 

[bledd]

sorry for the copy/paste, but do this

disable system restore
remove your 'av'
run ccleaner slim http://www.ccleaner.com/download/builds/downloading-slim
run nod32 trial http://www.eset.com/download/free_trial_download_int.php
run mbam http://www.malwarebytes.org/mbam-download.php
run spybot http://fileforum.betanews.com/download/Spybot-Search-Destroy/1043809773/1


still screwed?
run combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix


following this, stop going to bad sites etc

use firefox http://www.mozilla-europe.org/en/firefox/
install this addon for firefox https://addons.mozilla.org/en-US/firefox/addon/1865

when firefox opens following the restart, tick the 'Easylist' subscription



Now remove the NOD32 trial and spybot and install Microsoft Security Essentials

 

[Brizzles]

what happens when you lookup argos.co.uk using nslookup?

you should get:

argos.co.uk. 21600 IN A 129.35.70.106

I get ;

> argos.co.uk
Server: www.routerlogin.com
Address: 192.168.0.1:53

Non-authoritative answer:
Name: argos.co.uk
Address: 129.35.70.106

 

[tntcoder]

And does http://129.35.70.106 take you to argos?

 

[Brizzles]

sorry for the copy/paste, but do this


[/b]

Will try

Where it says remove 'AV' , does that mean completelty uninstall AV ( avast free edition ) , or just disable/turn off ?

 

[Brizzles]

And does http://129.35.70.106 takes you to argos?

Yep, straight there.

 

[Brizzles]

Bit more info.

If i type 'Argos' into the google search box, it brings up 'argos.co.uk' and that link works.

If i type up ' digital photo frame' in the search box, then choose the argos link, it gets diverted.

 

[mynsa]

sounds like malware

check your hosts file for unwelcome entries (system32/drivers/etc/hosts - not on a windows os so double check that)
try running combofix?

 

[Brizzles]

sounds like malware

check your hosts file for unwelcome entries (system32/drivers/etc/hosts - not on a windows os so double check that)
try running combofix?

Combofix is not available according to the site, tried all the other things in bledds' post - No joy,still the same

Can't even get to the microsoft download site to d'load the essentials program. i search for it and the link i click gets diverted away.

What am i looking for in the host folder, i have :

hosts 15/12/09 file
hosts.20091215-212059.backup 18/09/2006 BACKUP file
lmhosts.sam 18/09/2006 SAM file
networks 18/09/2006 file
protocol 18/09/2006 file
services 18/09/2006 file

Any help ?

Thanks.

 

[mynsa]

what does the file hosts contain?

i see it was last modified today - looks suspicious

 

[Brizzles]

what does the file hosts contain?

i see it was last modified today - looks suspicious

this ;

Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com

Then a few hundred similar entries

127.0.0.1 zyban-zocor-levitra.com
# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

 

[mynsa]

ok so its not that, thought it might of been a little unsophisticated but i was wrong there

the entries made by spybot are part of its immunization process (i presume you have ran this today with the date of the hosts file being today?)

what if you boot to safe mode and try rescanning for malware with anti malware products from a few vendors? not sure how much luck you will have with this

what if you try a different browser - firefox / safari / chrome?

 

[Brizzles]

Heres a report generated by Hijack This from Trend micro.

I stumbled upon it via a google search, and it seems i'm not alone in this problem - Several posts with identical redirect problems.

Anything look odd in this :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:25, on 15/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4390 bytes