Solved

Internet explorer and Firefox being redirected when trying to open from a search page

Posted on 2009-07-14
12
605 Views
Last Modified: 2012-05-07
Small problem that is bugging me. Using IE or Firefox I am unable to open any links from a google search. It shows a small box at the top middle saying "one moment please" then displayes options to open other websites. I can do a google search but am redirected when I try to click on anything. I also can not access either Google.com or google.ca. It simply will not open the web page. It is simply blank. THis is windows XP pro SP3 using IE 7 with all updates. Antivirus is Avast home and spybot installed. I have attached the log file of hijackthis if it helps. Thanks for your help.
hijackthis.log
0
Comment
Question by:robsky1
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24849836
Could be one of three things (if the machine is not compromised):

1) you have a proxy configured in the browser
2) your http traffic is being diverted
3) the DNS servers are handing you addresses for domains in which they are not authoritative

When you do a dig/host/nslookup of www.google.com (the IPs are the same as www.google.ca), do you see:

www.google.com is an alias for www.l.google.com.
www.l.google.com has address 66.102.1.104
www.l.google.com has address 66.102.1.147
www.l.google.com has address 66.102.1.99
www.l.google.com has address 66.102.1.103
0
 

Author Comment

by:robsky1
ID: 24850960
Hi Jesper
I checked and the proxy is not configured in the browser. for sure my traffic is being diverted. When I do an nslookup for google I come up with a range between 74.125.95.99 to 74.125.95.103-.104 -.105 - .106 - .147. These are true google IP addresses. When I do a "whois" search for the ip addresses in the hijackthis log file (89.149.210.106) it points me to a company in Amsterdam that points to someone in Poland.
0
 
LVL 6

Expert Comment

by:bobohost
ID: 24851113
Yeah sounds like you have some stuff on your system.  Start by running Malwarebytes

http://www.malwarebytes.org/

Very good program to clean our your system.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:Jan Springer
ID: 24851136
What anti-virus software are you running (other than hijackthis)?

And, have you tried changing your DNS server IP to another completely off net (OpenDNS offers free service ->  208.67.222.222)?  This would help determine if your local machine is the problem or your DNS server.

Are you using Google Chrome?
0
 

Author Comment

by:robsky1
ID: 24851232
Hi Bobohost
I already tried malwarebytes and was suprised that it did not fix/find the problem. It's the first time itfailed me.
Jesper
I'm using Avast home edition. I'll look into openDNS and let you know but as I'm getting a message telling me in the broser that the request is being prossed, I'm pretty sure that's a local issue. Google chrome was installed and has since been removed.
0
 
LVL 6

Expert Comment

by:bobohost
ID: 24851379
Do you have a hijackthis log for this system?  Have you tired running ComboFix?
0
 

Author Comment

by:robsky1
ID: 24852280
Hi Bobohost
If you look at the attachments to this post, you will see the text file from Hijackthis. I have looked into combofix and it seems to have issues with it when installed/run. I'll consider it as a last resort but would REALLY like to know what i'm being hijacked by.
0
 
LVL 6

Expert Comment

by:bobohost
ID: 24852381
Ok let me review the log and see what I find.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24855604
Fix these entries in Hijackthis:
O2 - BHO: ALOT Toolbar BHO - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)  
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O1 - Hosts: 89.149.210.106 www.google.com
O1 - Hosts: 89.149.210.106 www.google.de
O1 - Hosts: 89.149.210.106 www.google.fr
O1 - Hosts: 89.149.210.106 www.google.co.uk
O1 - Hosts: 89.149.210.106 www.google.com.br
O1 - Hosts: 89.149.210.106 www.google.it
O1 - Hosts: 89.149.210.106 www.google.es
O1 - Hosts: 89.149.210.106 www.google.co.jp
O1 - Hosts: 89.149.210.106 www.google.com.mx
O1 - Hosts: 89.149.210.106 www.google.ca
O1 - Hosts: 89.149.210.106 www.google.com.au
O1 - Hosts: 89.149.210.106 www.google.nl
O1 - Hosts: 89.149.210.106 www.google.co.za
O1 - Hosts: 89.149.210.106 www.google.be
O1 - Hosts: 89.149.210.106 www.google.gr
O1 - Hosts: 89.149.210.106 www.google.at
O1 - Hosts: 89.149.210.106 www.google.se
O1 - Hosts: 89.149.210.106 www.google.ch
O1 - Hosts: 89.149.210.106 www.google.pt
O1 - Hosts: 89.149.210.106 www.google.dk
O1 - Hosts: 89.149.210.106 www.google.fi
O1 - Hosts: 89.149.210.106 www.google.ie
O1 - Hosts: 89.149.210.106 www.google.no
O1 - Hosts: 89.149.210.106 search.yahoo.com
O1 - Hosts: 89.149.210.106 us.search.yahoo.com
O1 - Hosts: 89.149.210.106 uk.search.yahoo.com



And here's the Combofix canned as has been suggested. We need to see the log also.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


0
 
LVL 6

Expert Comment

by:bobohost
ID: 24860698
Also I would recommend using the latest version of HiJackThis which you can download here

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
0
 

Author Closing Comment

by:robsky1
ID: 31603264
hi rpqqamergirl
That did it! by removing the registry entries it resolved the problem. I would have split the points with bobohost except the suggestion to use combofix did not find anything. Sorry bobohost. thank you aginn and also to everyone who tried to help.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24869551
Glad to know it's now resolved.

Next time you used Hijackthis download the latest version as already suggested.

TrendSecure site Hijackthis download:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Thanks!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question