Avatar of srlincoln
Flag for United States of America asked on

Google resolving to or

Got a virus on an XP SP3 computer the other day.  
Have run Malwarebytes to remove bad registry and file entries.   Have deleted a hidden Hosts file from the etc directory.
Whenever I ping www.google.com on the pc, it's trying to go to either or
NSLookup cannot resolve www.google.com   it tries to look at my local dns server, then does a 2 second time out ... seeming not ever trying to go the outside world to check the non-authoritative dns servers
I have NO idea where it's getting these IPs from, file, registry or what.   Doesn't matter what user I'm logged in as either, so if it's registry, must be in the Local Machine area.

Anyone else ever deal with this and resolve?   I don't want to re-image the machine yet as I'm extremely curious as to how the el' a setting like this could be set on searching type websites only.
I say that because I can go to yahoo.com , but if I do an actual search, it fails out as if it was being redirected to a bad site that is obviously down now.

Anti-Virus AppsAnti-SpywareDNS

Avatar of undefined
Last Comment
Dave Messman

8/22/2022 - Mon

I wonder if this is the same as what was posted recently try looking at this thread.



Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Sudeep Sharma


You missed link for FixTDSS from Symantec.


Here is the link

I hope that would help


One thing I don't want as answer is to download a bunch of tools to find the problem.   I want to know the root cause.  Where in the registry or what file is causing the redirection.   It doesn't seem that any of the posts in that other thread ever get to where the problem actually stemmed from.

Seems to me that if you booted the PC in safe mode w/networking that the problem would not exsist if there was a hidden service or an extra ordinary service loading.   This PC has a full, working version of McAfee Enterprise running on it.

It seems to be deeper than just a running service or program the way it's being choosy with nslookup and all.

This is the only system having the problem so Infected router...nope.

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

The Experts trying to help you really don't have a lot of information to go on. It appears as though you have some kind of re-direct malware still on your system.

Denigrating the advice we offer is not really the best way to encourage volunteers to keep helping you.

You are the one who used improper procedures to clean your system and I was giving you the proper methods.

If you want to work through this problem, I will be glad to give you the best advice I have. If you don't want to follow the advice, I will go help someone else.

Your choice.

As far as "Seems to me that if you booted the PC in safe mode w/networking..." no legitimate Expert volunteer will tell you to do that - unless your system will not boot to Normal Mode (or as a last resort).

You might also want to check your "HOSTS" file (open it with Notepad) located at:

It should look something like this (unless YOU have modified it):

#     rhino.acme.com          # source server
#     x.acme.com              # x client host       localhost

Any other entries MAY have been made by the malware.

I'm not meaning to be dejecting of the advice and I will attempt to do additional scans with other tools.  What I'm saying is that I'm trying to find someone who has already dealt with this problem and actually found the root cause of why a computer would choose to ping to these particular IPs only for Google, Bing, Yahoo (search engines)   It's obvious malware and obviously some file or setting has been changed.   I have yet to find where anyone has found a solution to this problem and can legitimately say something to the effect that "it was a setting in the registry @ HKLM...."     Know what I'm saying?  

And WTF are you talking about with "improper procedures"?   How do you know what procedures I have even attempted?     Safe mode is a good way to test if there is a bad service running BTW...
I have found that Malwarebytes actually catches and removes more things when run in this mode than in Normal.

You are welcome to go "help" someone else.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

"And WTF are you talking about with "improper procedures"?"

Since you ask, I will be more specific - and then unsubscribe.

Using Malwarebytes (or any other scanner) without first running a rogue processor stopper is an "improper procedure". You are the one who described your procedure in the original question - and it is 'improper'.

Although there are frequently solid symptoms that point to a specific tool/scanner, I can't recall dealing with this specific situation - and I do malware repair all day/every day. It is my business to know these things (literally).

When we (Experts) cannot offer targeted advice based on the information available, we have to start eliminating the 'possibles' - then deal with what is left.

I'll let others work with you now - but don't forget to check your HOSTS file.


If you had actually read my original question, you would have seen that I said I deleted the HOSTS file..even the hidden one.... just saying.

BTW - I've been in IT since 90', I do this everyday too.  I'm not some goofball 14 year old kid.   When you talk about elimanating possibilities, if you boot a computer in safe mode with networking, and it STILL does it...you've eliminated a bunch of possibilities in my book.

Anyway, on to actually trying to find the ROOT cause of this problem.  

Okay, so I downloaded and ran   TDSSKiller and it found ACPI.sys to be infected.     Looks like I'm going to have to call McAfee and ask them why their Enterprise software can't seem to detect an infected file..yes?  Such BS.

So I'm left wondering why acpi.sys would effect dns for google.com and the likes, but I'm resolved to say that since it was a virus, being associated with acpi.sys really has no correlation.  acpi.sys does not have anything to do with DNS, search engine preferences and the like...yes?     Correct me if I'm wrong.  How it was affecting the outcomes of nslookup and all that...I'd still like to know.

I'm guessing that the infected process was recognizing any traffic going to google.com and other internet searches and attempting to re-direct.

I will admit,  Younghv had good suggestions, but seemed to take things a bit personal when I was explain how I didn't want just a bunch of suggestion of scanning tools and all.
I will also admit that I'm a little on edge right now with the passing of my father-in-law and my wife being gone for over 2 weeks attending to the after business of all that.    Please excuse me for being ohhhh snap-py


I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Sorry to hear about what you're going through. We've all been through rough patches and sometimes cordiality suffers (I'm guilty of that).

As you know, the methods of infection are many and varied - and you probably won't be able to actually trace the source.

The variants of malware and the methods of infection are almost limitless and neither McAfee nor any other single vendor is going to give you 100% protection.

We have had some really great discussions here on EE about building "Defense in Depth" for systems/networks with a variety of software and hardware recommendations.

This question is kind of toasted - not only with the comments, but the fact that is has been closed.

Most Experts won't look at it again to see further discussion.

If you would like to open a new question, describe your system/network architecture and ask for recommendations for improving security.

We do have a lot of SysAdmins/Network Security types who will weigh in and give you their thoughts.

Forgot to mention...
"acpi.sys" is just a likely target file 'name' for malware. As I recall, it sits down in the c:\windows\System32\DRIVERS\ folder and is going to be replaced readily when you do driver/system updates.

Often the malware writers will target legitimate files (file names) for writing their little crap applications - because when we look at it we tend to think "Oh yeah, good old acpi.sys - that's a safe file."

There is no way for me to know what that file was actually telling your system to do (it can do about anything the black-hearted malware moron wants it to), but in this case it was affecting your browser.

Some of the really sharp malware fighters know exactly which file goes in which folder, so they can spot problems if it is out of place - plus the writers will often modify the file name slightly (apci.sys) and your eye will tend to skip over it.

We have a couple of Experts here who can get right down in the weeds with this stuff and if you post a new question, I'll ping them to take a look.
Sudeep Sharma

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

SSharma...you just blew my mind.... LOL   That's some deeeeep matrix stuff there hee hee!  Cool info for sure.  I don't think most people think about viruses/malware being that deeply embedded on a PC.

Thanks for both of your help.

This infection that prevents using the three most common search sites (google, bing, yahoo) is still out there and prevalent. I had the SAME symptoms as above where www.google.com kept resolving to instead of a correct IP address. The malware (possibly several different species of it) was installed when my son browsed to hijacked website, and presumably clicked somewhere he shouldn't have. Using tools such as Malwarebytes, online forums, and basic sleuthing, I was able to remove bad registry entries with values such as "findgala", and files in the Application Data directories with values such as "Smart Engine" and "APdff_8047.exe". The HOSTS files didn't appear to be affected, but I replaced it anyway with a clean version. It was until I used kaspersky's TDSSkiller that the final infected file was found:

Type: Service
Name: ACPI
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: system32\DRIVERS\ACPI.sys
Suspicious states: Forged file

I too would like to know how the driver file was capable of targeting selected websites.

The symptoms were very interesting. I could not successfully browse to www.google.com or search.google.com, but I could visit news.google.com. Also, any web page I visited that included client-side google analytics would be unable to load that command. Some embedded facebook modules on web pages would also not load.
Dave Messman

I had a user who had his google searches redirected to the other day.  I had taught him to use Malwarebytes in safe mode, so he was able to clear the main fakealert virus, but still is google searches and google apps were being redirected.  This was the only sign of infection.  In the end, I ran combofix which found rootkit malware that it said could be leading to networking issues.  After letting combofix do its clean, the redirection was gone.  So as of 5/11/12, Combofix was able to solve this issue for me.
Your help has saved me hundreds of hours of internet surfing.