Browser Redirecting to Google. Help

Sometimes when surfing, my pages get redirected to a google searchpage with google searching for porn related items. Sometimes it just redirects me to a pornsite but all the links on it go to just another searchsite!

This is pretty fucking annoying.

I scanned with a lot of programs, HJT, AdAware, Spybot S&D, AVG

This happens in Firefox

You got a bug somewhere. Sounds like a search engine hack or something. Those programs you mentioned should have found it, unless you've got a trojan extension. I've heard of malware FF extensions being released, but have never run across one myself.

Have you tried it in IE too? If it does it in IE, check your hosts file (C\Windows\System32\drivers\etc\hosts, assuming you're running XP/2K) and make sure it doesn't have bogus mappings to google.com. If you haven't added anything to it, it should look like this

[code16587c46652]# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost[/code16587c46652]
If it has anything else after 127.0.0.1, and you didn't put it there, delete it. Some malware will edit your hosts file and load it with all sorts of bogus mappings.

theres 100's of entries before the local hosting one. Your saying thier shouldnt be anything after it?


Looks something like this
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
# If there is a domain name you would rather never see, simply add a line
# that reads "127.0.0.1 machine.domain.tld". This will have the effect of
# redirecting any requests to that host to your own computer. For example
# this will prevent your browser from downloading banner ads, or sending
# your information back to a company.
# Do not touch localhost!
127.0.0.1 localhost.localdomain
# Uncomment this to block the Netscape news service from pushing news
# items to your netscape client.
#127.0.0.1 messenger.netscape.com
# Spyware and user tracking
# Uncomment (remove the #) the lines that you wish to block, as some
# may provide you with services you like.
#127.0.0.1 auto.search.msn.com # Microsoft uses this server to redirect
# mistyped URLs to search engines. They
# log all such errors.
127.0.0.1 sitefinder.Verisign.com # Verisign has joined the game
127.0.0.1 sitefinder-idn.Verisign.com # of trying to hijack mistyped
127.0.0.1 # URLs to their site.
127.0.0.1 ad.doubleclick.net # This may interefere with www.sears.com
127.0.0.1 # and potentially other sites.
127.0.0.1 media.fastclick.net # Likewise, this may interefer with some
127.0.0.1 # sites.
#127.0.0.1 ebay.doubleclick.net # may interfere with ebay
#127.0.0.1 stat.livejournal.com #There are reports that this may mess
127.0.0.1 #up CSS on livejournal
#127.0.0.1 stats.surfaid.ihost.com # This has been known cause
127.0.0.1 # problems with NPR.org
127.0.0.1 06272002-dbase.hitcountz.net # Web bugs in spam
127.0.0.1 123counter.mycomputer.com
127.0.0.1 123counter.superstats.com

Keeps going with tons more entries then

127.0.0.1 www.winmx-pro.com
127.0.0.1 www2.music-download-network.com
#END of Scam Sites

127.0.0.1 localhost

127.0.0.1 localhost


Could i fire you over my hijackthis log

Oh yeah, I forgot that a common "low-tech" but effective way to block ads is to use the hosts file to redirect common ad domains to localhost. You must have used an ad-blocker software or something.

That looks fine, everything listed is redirecting to your local machine, so it isn't causing the google hit.

Unless...

It just occurred to me while typing this that, when Firefox can't resolve a URL, it will sometimes kick over to its default search engine and initiate a search. If the redirects due to your localhost are happening and a banner address fails, it could possibly be causing this behavior. Save your hosts file to hosts.bak or something, then delete every one of those lines except for the single 127.0.0.1 localhost line (or just c&p mine from above). Save it as hosts and try again. If the redirects still happen, you have another problem and can restore your old hosts.bak to get your ad-blocking working again.

Could this be the problem. I went into my tcp/ip protocol and there were numbers in the

Manually enter DNS boxes

85.255.115.34

85.255.112.63

I switched to automatically obtain dns and then deleted the OC 17 lines in the hijackthis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{40E20DEB-D20E-465A-9D3B-07253139B42B} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{4322F582-5F6E-4690-9252-036A319CBF97} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBC18D8C-C7BF-4261-9843-CBE984F8FCF1} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{40E20DEB-D20E-465A-9D3B-07253139B42B} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS2\Services\Tcpip\Parameters NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS2\Services\Tcpip\..\{40E20DEB-D20E-465A-9D3B-07253139B42B} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters NameServer = 85.255.116.30 85.255.112.144

[quoteefab4709f2="ffactoryxx"]Could this be the problem. I went into my tcp/ip protocol and there were numbers in the

Manually enter DNS boxes

85.255.115.34

85.255.112.63

I switched to automatically obtain dns and then deleted the OC 17 lines in the hijackthis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{40E20DEB-D20E-465A-9D3B-07253139B42B} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{4322F582-5F6E-4690-9252-036A319CBF97} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBC18D8C-C7BF-4261-9843-CBE984F8FCF1} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{40E20DEB-D20E-465A-9D3B-07253139B42B} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS2\Services\Tcpip\Parameters NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS2\Services\Tcpip\..\{40E20DEB-D20E-465A-9D3B-07253139B42B} NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters NameServer = 85.255.116.30 85.255.112.144[/quoteefab4709f2]
While I haven't heard of a specific case, this sounds like it could possible be the next step of the hosts file hack. Instead of hijacking your hosts file to redirect you where they want, they could conceivably hijack your DNS settings, sending you to a rogue DNS server that injected redirects along the way.

Or it could just be some settings you forgot about that you entered manually once before, and maybe the DNS is broken so the default search engine feature I was talking about kicks in whenever something doesn't resolve.

If you're not supposed to have static DNS addresses, though, deleting them was a good thing. You should be careful deleting them from HiJack This though, as that deletes directly from the registry and you could shoot yourself in the foot. Removing them from your TCP/IP settings should have been enough to remove them from the HiJack This log.