Anybody Come Across A Weird Redirect?
in [Windows Viruses]
|
Prev: antivirus
Next: Security Tool Virus (spyware)
From: David Kaye on 23 Feb 2010 04:31 Okay, the computer looks clean. The hosts file is empty except of course for the localhost entry. I changed the DNS from ISP provider to OpenDNS in case Comcast's DNS was polluted. I cleaned the cache of IE but also installed Safari and Firefox. The problem happens on all browsers. Here's the problem: The very first time I search for something on the computer using Google I get a redirect to some apparently random website. Let's say I'm Googling CBS. I click on the first link under Google, which would be www.cbs.com, but I'll get maybe yellowpages.com instead. But the next time I do the exact same Google, even after shutting down and restarting, I get pointed to the right place. As I said, the computer seems clean from a malware point of view (MalwareBytes and Avast, along with AVG). I have used HijackThis on it and saw nothing odd. What am I missing? I've seen redirects before but they're always consistently redirecting. This one always redirects just the first attempt and only with Google. Subsequent times the Google click goes through correctly. Ideas anyone?
From: ~BD~ on 23 Feb 2010 08:04 David Kaye wrote: > Okay, the computer looks clean. The hosts file is empty except of course for > the localhost entry. > > I changed the DNS from ISP provider to OpenDNS in case Comcast's DNS was > polluted. I cleaned the cache of IE but also installed Safari and Firefox. > The problem happens on all browsers. > > Here's the problem: The very first time I search for something on the > computer using Google I get a redirect to some apparently random website. > Let's say I'm Googling CBS. I click on the first link under Google, which > would be www.cbs.com, but I'll get maybe yellowpages.com instead. > > But the next time I do the exact same Google, even after shutting down and > restarting, I get pointed to the right place. As I said, the computer seems > clean from a malware point of view (MalwareBytes and Avast, along with AVG). > I have used HijackThis on it and saw nothing odd. > > What am I missing? I've seen redirects before but they're always consistently > redirecting. This one always redirects just the first attempt and only with > Google. Subsequent times the Google click goes through correctly. > > Ideas anyone? > Did you try posting your HJT log into this site? http://hijackthis.de/ Worth a try! I can feel your frustration, David! -- Dave
From: Virus Guy on 23 Feb 2010 09:34 David Kaye wrote: > I changed the DNS from ISP provider to OpenDNS in case Comcast's > DNS was polluted. I generally have my DNS hardcoded to 4.2.2.2, but to each his own. > The very first time I search for something on the computer using > Google I get a redirect to some apparently random website. Check your HOSTS file. On XP (and vista and 7 also I think) it's located in /system32/drivers/etc/ The default hosts file will be small, with maybe only 1 entry (local host). Some anti-malware software (spybot SD, spyware blaster, etc) will add their own entires to the host file making it very large (this is normal and expected). Third-party hosts files (MVPS) are downloadable for the same purpose. Malware is known to add it's own entries into the hosts file, causing you to be redirected when you try to access certain domains. Google.com and other google.* domains in particular.
From: David Kaye on 23 Feb 2010 15:17 ~BD~ <BoaterDave(a)NOSPAMhotmail.co.uk> wrote: > >Did you try posting your HJT log into this site? http://hijackthis.de/ > >Worth a try! No, because the HJT log is short and clear to me. There is nothing suspicious. I also looked inside of all likely processes with PrcView to see which DLLs were being called for each process and still nothing. I'm coming to wonder if the Comcast modem itself is carrying something.
From: David Kaye on 23 Feb 2010 15:18
Virus Guy <Virus(a)Guy.com> wrote: >Check your HOSTS file. On XP (and vista and 7 also I think) it's >located in /system32/drivers/etc/ As I previously mentioned, the hosts file is clean. The only entry is for local host. |