Google results all forwarding to http://thealltimes.com/


Recommended Posts

Trying to fix a Windows 7 x64 SP1 system that is confusing me!

All Google results forward to thealltimes.com

Sounds like spyware or something but I've ran:

  • Malwarebytes Anti-Malware
  • PC Tools Internet Security
  • Ad-Aware
  • eTrust PestPatrol Anti-Spyware
  • Microsoft's Malicious Software Removal Tool
  • Spybot Search and Destroy
  • TDSSKiller

etc. and they all only find 'tracking cookies' at most.

Any ideas?

Edited by GreyWolf
Please do not post links to suspicious sites
Link to comment
Share on other sites

Checked the HOSTS file?

try checking your Hosts file to see if there is an entry that is forwarding to that site.

127.0.0.1 localhost
::1 localhost
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

127.0.0.1 crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

Link to comment
Share on other sites

127.0.0.1 localhost
::1 localhost
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#	  102.54.94.97	 rhino.acme.com		  # source server
#	   38.25.63.10	 x.acme.com			  # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1	   localhost
#	::1			 localhost

127.0.0.1 crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

REM out the bottom line.

Link to comment
Share on other sites

Internet Explorer, Firefox and my Wireless Network Connection (IPv4 and IPv6) are all set to obtain an IP automatically (nothing manual appears to be entered).

Link to comment
Share on other sites

Does your box settings look any different to this?

156603119.PNG

If so then it's been altered, just set it to automatically detect settings and untick the proxy settings!

Link to comment
Share on other sites

Load up an Ubuntu live cd. If it works fine there, then it's either:

1. Something is intercepting and modifying your http connections. Most likely a rootkit.

2. You have a proxy configured.

Link to comment
Share on other sites

Just plain curious why would you not want to check verisign crl??

127.0.0.1 crl.verisign.net

That clearly point to some form of infection that does not want a bad SSL CERT Checked.

what does a nslookup or dig show for www.google.com?

; <<>> DiG 9.8.1-P1 <<>> www.google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37694

;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.google.com. IN A

;; ANSWER SECTION:

www.google.com. 18708 IN CNAME www.l.google.com.

www.l.google.com. 115 IN A 74.125.225.116

www.l.google.com. 115 IN A 74.125.225.112

www.l.google.com. 115 IN A 74.125.225.113

www.l.google.com. 115 IN A 74.125.225.114

www.l.google.com. 115 IN A 74.125.225.115

;; Query time: 14 msec

;; SERVER: 192.168.1.253#53(192.168.1.253)

;; WHEN: Sat Dec 31 07:44:46 2011

;; MSG SIZE rcvd: 132

Also -- unless you by hand put that crl.versign into your host file -- which for the life of me I can not fathom why.. Then clearly the machine has been infected - NUKE IT FROM ORBIT, and get on with your life.

BTW, why is this in software support section?? Should be under security or windows help.

Link to comment
Share on other sites

So all browsers on your system are doing this?

I only have Firefox and Internet Explorer installed and it happens in both.

Have you tried SuperAntiSpyware?

http://superantispyware.com/

You are doing all these scans in safe mode, correct?

FWIW,

I can't even get to that site you keep getting forwarded to.

I have tried SUPERAntiSpyware and I have used all programs in Safe Mode and the standard desktop.

check your browser extensions/add-ons/plug-ins

I feel this is more complicated than that :(

Does your box settings look any different to this?

[image snipped]

If so then it's been altered, just set it to automatically detect settings and untick the proxy settings!

post-645-0-08491200-1325341294.jpg

post-645-0-51293200-1325341298.jpg

post-645-0-57447800-1325341303.jpg

Just plain curious why would you not want to check verisign crl??

:shiftyninja:

Link to comment
Share on other sites

<snip>

what does a nslookup or dig show for www.google.com?

; <<>> DiG 9.8.1-P1 <<>> www.google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37694

;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.google.com. IN A

;; ANSWER SECTION:

www.google.com. 18708 IN CNAME www.l.google.com.

www.l.google.com. 115 IN A 74.125.225.116

www.l.google.com. 115 IN A 74.125.225.112

www.l.google.com. 115 IN A 74.125.225.113

www.l.google.com. 115 IN A 74.125.225.114

www.l.google.com. 115 IN A 74.125.225.115

;; Query time: 14 msec

;; SERVER: 192.168.1.253#53(192.168.1.253)

;; WHEN: Sat Dec 31 07:44:46 2011

;; MSG SIZE rcvd: 132

<snip>

No idea what either are but I believe this may be what you mean by 'nslookup':

C:\Users\Elliot&gt;nslookup www.google.com
Server:  UnKnown
Address:  192.168.0.1

Non-authoritative answer:
Name:	www.l.google.com
Addresses:  173.194.66.106
		  173.194.66.147
		  173.194.66.99
		  173.194.66.103
		  173.194.66.104
		  173.194.66.105
Aliases:  www.google.com

On IE, untick 'automatically detect' and on FF switch to 'No proxy'.

Didn't fix it :(

"No threats detected."

proxy/dns settings on router ?

Malware can do that...?

Link to comment
Share on other sites

I found this this morning for you...check out the entire article, if you haven't already:

http://www.tech-faq....rom-google.html

One suggestion is that it might be hooked onto the MBR and that you might need to use the FixMBR function in the Windows Recovery Console.

Link to comment
Share on other sites

I found this this morning for you...check out the entire article, if you haven't already:

http://www.tech-faq....rom-google.html

One suggestion is that it might be hooked onto the MBR and that you might need to use the FixMBR function in the Windows Recovery Console.

Nothing worked :(

Also, the Windows Security Center service is no longer able to start (another issue I haven't been able to solve).

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.