Solved

Internet explorer and Firefox being redirected when trying to open from a search page

Posted on 2009-07-14
12
599 Views
Last Modified: 2012-05-07
Small problem that is bugging me. Using IE or Firefox I am unable to open any links from a google search. It shows a small box at the top middle saying "one moment please" then displayes options to open other websites. I can do a google search but am redirected when I try to click on anything. I also can not access either Google.com or google.ca. It simply will not open the web page. It is simply blank. THis is windows XP pro SP3 using IE 7 with all updates. Antivirus is Avast home and spybot installed. I have attached the log file of hijackthis if it helps. Thanks for your help.
hijackthis.log
0
Comment
Question by:robsky1
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Could be one of three things (if the machine is not compromised):

1) you have a proxy configured in the browser
2) your http traffic is being diverted
3) the DNS servers are handing you addresses for domains in which they are not authoritative

When you do a dig/host/nslookup of www.google.com (the IPs are the same as www.google.ca), do you see:

www.google.com is an alias for www.l.google.com.
www.l.google.com has address 66.102.1.104
www.l.google.com has address 66.102.1.147
www.l.google.com has address 66.102.1.99
www.l.google.com has address 66.102.1.103
0
 

Author Comment

by:robsky1
Comment Utility
Hi Jesper
I checked and the proxy is not configured in the browser. for sure my traffic is being diverted. When I do an nslookup for google I come up with a range between 74.125.95.99 to 74.125.95.103-.104 -.105 - .106 - .147. These are true google IP addresses. When I do a "whois" search for the ip addresses in the hijackthis log file (89.149.210.106) it points me to a company in Amsterdam that points to someone in Poland.
0
 
LVL 6

Expert Comment

by:bobohost
Comment Utility
Yeah sounds like you have some stuff on your system.  Start by running Malwarebytes

http://www.malwarebytes.org/

Very good program to clean our your system.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
What anti-virus software are you running (other than hijackthis)?

And, have you tried changing your DNS server IP to another completely off net (OpenDNS offers free service ->  208.67.222.222)?  This would help determine if your local machine is the problem or your DNS server.

Are you using Google Chrome?
0
 

Author Comment

by:robsky1
Comment Utility
Hi Bobohost
I already tried malwarebytes and was suprised that it did not fix/find the problem. It's the first time itfailed me.
Jesper
I'm using Avast home edition. I'll look into openDNS and let you know but as I'm getting a message telling me in the broser that the request is being prossed, I'm pretty sure that's a local issue. Google chrome was installed and has since been removed.
0
 
LVL 6

Expert Comment

by:bobohost
Comment Utility
Do you have a hijackthis log for this system?  Have you tired running ComboFix?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:robsky1
Comment Utility
Hi Bobohost
If you look at the attachments to this post, you will see the text file from Hijackthis. I have looked into combofix and it seems to have issues with it when installed/run. I'll consider it as a last resort but would REALLY like to know what i'm being hijacked by.
0
 
LVL 6

Expert Comment

by:bobohost
Comment Utility
Ok let me review the log and see what I find.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
Fix these entries in Hijackthis:
O2 - BHO: ALOT Toolbar BHO - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)  
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O1 - Hosts: 89.149.210.106 www.google.com
O1 - Hosts: 89.149.210.106 www.google.de
O1 - Hosts: 89.149.210.106 www.google.fr
O1 - Hosts: 89.149.210.106 www.google.co.uk
O1 - Hosts: 89.149.210.106 www.google.com.br
O1 - Hosts: 89.149.210.106 www.google.it
O1 - Hosts: 89.149.210.106 www.google.es
O1 - Hosts: 89.149.210.106 www.google.co.jp
O1 - Hosts: 89.149.210.106 www.google.com.mx
O1 - Hosts: 89.149.210.106 www.google.ca
O1 - Hosts: 89.149.210.106 www.google.com.au
O1 - Hosts: 89.149.210.106 www.google.nl
O1 - Hosts: 89.149.210.106 www.google.co.za
O1 - Hosts: 89.149.210.106 www.google.be
O1 - Hosts: 89.149.210.106 www.google.gr
O1 - Hosts: 89.149.210.106 www.google.at
O1 - Hosts: 89.149.210.106 www.google.se
O1 - Hosts: 89.149.210.106 www.google.ch
O1 - Hosts: 89.149.210.106 www.google.pt
O1 - Hosts: 89.149.210.106 www.google.dk
O1 - Hosts: 89.149.210.106 www.google.fi
O1 - Hosts: 89.149.210.106 www.google.ie
O1 - Hosts: 89.149.210.106 www.google.no
O1 - Hosts: 89.149.210.106 search.yahoo.com
O1 - Hosts: 89.149.210.106 us.search.yahoo.com
O1 - Hosts: 89.149.210.106 uk.search.yahoo.com



And here's the Combofix canned as has been suggested. We need to see the log also.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


0
 
LVL 6

Expert Comment

by:bobohost
Comment Utility
Also I would recommend using the latest version of HiJackThis which you can download here

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
0
 

Author Closing Comment

by:robsky1
Comment Utility
hi rpqqamergirl
That did it! by removing the registry entries it resolved the problem. I would have split the points with bobohost except the suggestion to use combofix did not find anything. Sorry bobohost. thank you aginn and also to everyone who tried to help.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Glad to know it's now resolved.

Next time you used Hijackthis download the latest version as already suggested.

TrendSecure site Hijackthis download:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Thanks!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now