Make the adware stop.
January 10, 2009 5:46 PM Subscribe
My google search results are redirecting me to certain sites (see 'more inside') due to adware/spyware that AdAware and Norton can't find. It's intermittent, and happening to both Firefox, IE, AND Chrome, although Chrome is choosing to simply not load the pages and gives me error messages. I can't google a solution because of the redirecting problem. Can you help?
For example, if I google anything with the term 'marriage' in it, I get redirect to http://209.85.171.199/url?q=http://www.top100weddingsites.com/ or http://209.85.171.199/url?q=http://www.findstuff.com/, which then, in turn, redirect me to other websites (mandatory disclaimer: it might be a bad decision to copy those into your address bar).
It happens most often when I click the (legitimate, Google-provided link) for 'News results about...'
Any help?
For example, if I google anything with the term 'marriage' in it, I get redirect to http://209.85.171.199/url?q=http://www.top100weddingsites.com/ or http://209.85.171.199/url?q=http://www.findstuff.com/, which then, in turn, redirect me to other websites (mandatory disclaimer: it might be a bad decision to copy those into your address bar).
It happens most often when I click the (legitimate, Google-provided link) for 'News results about...'
Any help?
Make sure you have the newest update for AdAware, boot up into safe mode and run it.
posted by dunderwood at 5:58 PM on January 10, 2009
posted by dunderwood at 5:58 PM on January 10, 2009
Try MBAM. We've switched over to that at work from Spybot, and it's been working great.
posted by niles at 6:14 PM on January 10, 2009
posted by niles at 6:14 PM on January 10, 2009
This reminded me of a recent question - the answer I liked was a link to impressive directions.
posted by Pronoiac at 7:02 PM on January 10, 2009
posted by Pronoiac at 7:02 PM on January 10, 2009
Malwarebytes' AntiMalware is something which would help you out quite a bit. Also, I recommend ditching Norton as soon as your subscription is up, instead going with either AVG or AntiVir. They both have free versions which tend to find quite a bit more than Norton does, and they also use far less in system resources.
posted by The Great Big Mulp at 7:48 PM on January 10, 2009
posted by The Great Big Mulp at 7:48 PM on January 10, 2009
(Also, be sure to update to the latest version of Malwarebytes' before running a scan. Furthermore, it can fix most issues just with a quick scan.)
posted by The Great Big Mulp at 7:49 PM on January 10, 2009
posted by The Great Big Mulp at 7:49 PM on January 10, 2009
Response by poster: Mulp: alas, I live at home, and despite praising other anti-viruses, my dad prefers the 'true and tested' Norton. It's just not going to change.
posted by flibbertigibbet at 7:52 PM on January 10, 2009
posted by flibbertigibbet at 7:52 PM on January 10, 2009
Ah! Well, so it goes, I suppose.
posted by The Great Big Mulp at 7:56 PM on January 10, 2009
posted by The Great Big Mulp at 7:56 PM on January 10, 2009
Response by poster: Night_owl: That solution won't work for me as my (paid) anti-virus isn't picking up on the problem at all. Nor is any other program. I will definitely take that route if I do find the problem and it reappears, so thank you.
MBAM didn't find it. I'm gonna try a few more things tomorrow (AVG and AntiVir are on the list, yes), so thanks Pronoaic and dunderwood.
posted by flibbertigibbet at 9:22 PM on January 10, 2009
MBAM didn't find it. I'm gonna try a few more things tomorrow (AVG and AntiVir are on the list, yes), so thanks Pronoaic and dunderwood.
posted by flibbertigibbet at 9:22 PM on January 10, 2009
I believe that IP address is used for the web-search-hijacker called My Web Search. You've probably nailed some of it already, but to clean up the rest, I would use combofix first, followed by a manual hijackthis cleanup.
posted by ArkhanJG at 10:00 PM on January 10, 2009
posted by ArkhanJG at 10:00 PM on January 10, 2009
According to this and this, you need to check for the presence of these two files:
c:\windows\system32\sysaudio.sys (TR/Daonol.B.3)
c:\windows\system32\wdmaud.sys (RKIT/Agent.fwt)
A general search (just try another search engine) on that 209.85.171.199 IP returns a lot of helpful(?) information.
posted by o0o0o at 10:22 PM on January 10, 2009
c:\windows\system32\sysaudio.sys (TR/Daonol.B.3)
c:\windows\system32\wdmaud.sys (RKIT/Agent.fwt)
A general search (just try another search engine) on that 209.85.171.199 IP returns a lot of helpful(?) information.
posted by o0o0o at 10:22 PM on January 10, 2009
First, make sure it's not your HOST file that's been messed with. You might also download one of the anti-adware/malware HOST files from that page to see if it helps.
I would recommend that you do two more online scans that I think is really good at finding everything that is infected in some manner:
housecall.trendmicro.com (Works well with IE and FF)
www.bitdefender.com/scan8/ie.html (only works with IE)
posted by gemmy at 11:57 PM on January 10, 2009
I would recommend that you do two more online scans that I think is really good at finding everything that is infected in some manner:
housecall.trendmicro.com (Works well with IE and FF)
www.bitdefender.com/scan8/ie.html (only works with IE)
posted by gemmy at 11:57 PM on January 10, 2009
I'd second the HOST file change abobe - you anti virus will not find that (as it's just a change to a text file). Also, totally agree with ditching Norton - get AVG free and MBAM.
posted by the_very_hungry_caterpillar at 9:36 AM on January 11, 2009
posted by the_very_hungry_caterpillar at 9:36 AM on January 11, 2009
Response by poster: My HOSTS file is fine and unmolested.
The files that o0o0o listed aren't on my computer.
The problem doesn't fit any of the characteristics of MyWebSearch, and HijackThis finds none of the files that Arkhan's link says should be there (if the problem was My Web Search).
Somebody shut down Housecall mid-run and now it won't run a scan in either IE or Firefox.
Cannot switch antivirus; will be trying additional antiviruses, as well as combofix.
Thanks.
posted by flibbertigibbet at 2:06 PM on January 11, 2009
The files that o0o0o listed aren't on my computer.
The problem doesn't fit any of the characteristics of MyWebSearch, and HijackThis finds none of the files that Arkhan's link says should be there (if the problem was My Web Search).
Somebody shut down Housecall mid-run and now it won't run a scan in either IE or Firefox.
Cannot switch antivirus; will be trying additional antiviruses, as well as combofix.
Thanks.
posted by flibbertigibbet at 2:06 PM on January 11, 2009
One part of the puzzle...your original question...how to Google problem when your web brower is being hijacked (re-directed.) I had this problem and found that I could visit cached versions of links.
posted by Muirwylde at 3:56 PM on January 11, 2009
posted by Muirwylde at 3:56 PM on January 11, 2009
Response by poster: It's actually changing the links on the Google page itself, I just noticed, as well as doing a simple re-direct. i.e. If you search something currently in the news, the top of the Google page will have a snippet of an article, then a link to that article, then a link to related articles. The snippet is untouched, but the link is visibly changed on the Google page itself to spammyspammyspamspam.com, and the links to more news articles LOOKS untouched but redirects to spammyspammyspamspam.com.
posted by flibbertigibbet at 4:12 PM on January 11, 2009
posted by flibbertigibbet at 4:12 PM on January 11, 2009
Response by poster: Muirwylde's suggestion of using the cached versions of links does not work at all, unfortunately.
posted by flibbertigibbet at 4:46 PM on January 11, 2009
posted by flibbertigibbet at 4:46 PM on January 11, 2009
Has your DNS server been changed in your tcp/ip settings
(Control Panel, Network Settings, Properties (of the connection you connect to the internet with, be it Lan, or wireless) then double click on TCP/IP settings in the list. DNS should probably be in 'automatic' not some random numbers, unless you specifically know your ISP has static DNS assigned to you.
You can also change them to OpenDNS (08.67.222.222 and 208.67.220.220). Does that fix your problem?
posted by defcom1 at 5:56 PM on January 11, 2009
(Control Panel, Network Settings, Properties (of the connection you connect to the internet with, be it Lan, or wireless) then double click on TCP/IP settings in the list. DNS should probably be in 'automatic' not some random numbers, unless you specifically know your ISP has static DNS assigned to you.
You can also change them to OpenDNS (08.67.222.222 and 208.67.220.220). Does that fix your problem?
posted by defcom1 at 5:56 PM on January 11, 2009
Somebody shut down Housecall mid-run and now it won't run a scan in either IE or Firefox.
Do a search for a folder in your "documents and settings" folder called Housecall. Delete it, then try again.
And definitely do Bitdefender too, it's good.
posted by gemmy at 9:11 PM on January 11, 2009
Do a search for a folder in your "documents and settings" folder called Housecall. Delete it, then try again.
And definitely do Bitdefender too, it's good.
posted by gemmy at 9:11 PM on January 11, 2009
This thread is closed to new comments.
posted by Night_owl at 5:53 PM on January 10, 2009