Elliot B. Posted December 31, 2011 Share Posted December 31, 2011 (edited) Trying to fix a Windows 7 x64 SP1 system that is confusing me! All Google results forward to thealltimes.com Sounds like spyware or something but I've ran: Malwarebytes Anti-Malware PC Tools Internet Security Ad-Aware eTrust PestPatrol Anti-Spyware Microsoft's Malicious Software Removal Tool Spybot Search and Destroy TDSSKiller etc. and they all only find 'tracking cookies' at most. Any ideas? Edited December 31, 2011 by GreyWolf Please do not post links to suspicious sites Link to comment Share on other sites More sharing options...
Chester0 Posted December 31, 2011 Share Posted December 31, 2011 Checked the HOSTS file? Link to comment Share on other sites More sharing options...
Patrick831 Posted December 31, 2011 Share Posted December 31, 2011 try checking your Hosts file to see if there is an entry that is forwarding to that site. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 Checked the HOSTS file? try checking your Hosts file to see if there is an entry that is forwarding to that site. 127.0.0.1 localhost ::1 localhost # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 crl.verisign.net CRL.VERISIGN.NET ood.opsource.net Link to comment Share on other sites More sharing options...
spikey_richie Posted December 31, 2011 Share Posted December 31, 2011 I had something similar a few weeks back. Tried ComboFix, MalwareBytes, MSE, AdAware... all no dice. I ended up using http://support.kaspersky.com/faq/?qid=208280684 which sorted it. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 I had something similar a few weeks back. Tried ComboFix, MalwareBytes, MSE, AdAware... all no dice. I ended up using http://support.kaspersky.com/faq/?qid=208280684 which sorted it. I have also tried that recently - no luck :/ Link to comment Share on other sites More sharing options...
spikey_richie Posted December 31, 2011 Share Posted December 31, 2011 127.0.0.1 localhost ::1 localhost # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 crl.verisign.net CRL.VERISIGN.NET ood.opsource.net REM out the bottom line. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 REM out the bottom line. Didn't work :/ Link to comment Share on other sites More sharing options...
Miuku. Posted December 31, 2011 Share Posted December 31, 2011 I'm guessing you've done all of these; http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html and http://deletemalware.blogspot.com/2011/09/remove-webplainsnet-uninstall-guide.html ? Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 I'm guessing you've done all of these; http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html and http://deletemalware.blogspot.com/2011/09/remove-webplainsnet-uninstall-guide.html ? Internet Explorer, Firefox and my Wireless Network Connection (IPv4 and IPv6) are all set to obtain an IP automatically (nothing manual appears to be entered). Link to comment Share on other sites More sharing options...
AdamLC Posted December 31, 2011 Share Posted December 31, 2011 So all browsers on your system are doing this? Link to comment Share on other sites More sharing options...
cork1958 Posted December 31, 2011 Share Posted December 31, 2011 Have you tried SuperAntiSpyware? http://superantispyware.com/ You are doing all these scans in safe mode, correct? FWIW, I can't even get to that site you keep getting forwarded to. Link to comment Share on other sites More sharing options...
coth Posted December 31, 2011 Share Posted December 31, 2011 check your browser extensions/add-ons/plug-ins Seahorsepip 1 Share Link to comment Share on other sites More sharing options...
djdanster Posted December 31, 2011 Share Posted December 31, 2011 Does your box settings look any different to this? If so then it's been altered, just set it to automatically detect settings and untick the proxy settings! Link to comment Share on other sites More sharing options...
Joey S Posted December 31, 2011 Share Posted December 31, 2011 Load up an Ubuntu live cd. If it works fine there, then it's either: 1. Something is intercepting and modifying your http connections. Most likely a rootkit. 2. You have a proxy configured. Link to comment Share on other sites More sharing options...
HawkMan Posted December 31, 2011 Share Posted December 31, 2011 Yes proxy settings and check the DNS. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 31, 2011 MVC Share Posted December 31, 2011 Just plain curious why would you not want to check verisign crl?? 127.0.0.1 crl.verisign.net That clearly point to some form of infection that does not want a bad SSL CERT Checked. what does a nslookup or dig show for www.google.com? ; <<>> DiG 9.8.1-P1 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37694 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 18708 IN CNAME www.l.google.com. www.l.google.com. 115 IN A 74.125.225.116 www.l.google.com. 115 IN A 74.125.225.112 www.l.google.com. 115 IN A 74.125.225.113 www.l.google.com. 115 IN A 74.125.225.114 www.l.google.com. 115 IN A 74.125.225.115 ;; Query time: 14 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Sat Dec 31 07:44:46 2011 ;; MSG SIZE rcvd: 132 Also -- unless you by hand put that crl.versign into your host file -- which for the life of me I can not fathom why.. Then clearly the machine has been infected - NUKE IT FROM ORBIT, and get on with your life. BTW, why is this in software support section?? Should be under security or windows help. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 So all browsers on your system are doing this? I only have Firefox and Internet Explorer installed and it happens in both. Have you tried SuperAntiSpyware? http://superantispyware.com/ You are doing all these scans in safe mode, correct? FWIW, I can't even get to that site you keep getting forwarded to. I have tried SUPERAntiSpyware and I have used all programs in Safe Mode and the standard desktop. check your browser extensions/add-ons/plug-ins I feel this is more complicated than that :( Does your box settings look any different to this? [image snipped] If so then it's been altered, just set it to automatically detect settings and untick the proxy settings! Just plain curious why would you not want to check verisign crl?? :shiftyninja: Link to comment Share on other sites More sharing options...
episode Posted December 31, 2011 Share Posted December 31, 2011 On IE, untick 'automatically detect' and on FF switch to 'No proxy'. Link to comment Share on other sites More sharing options...
Flae_qui Posted December 31, 2011 Share Posted December 31, 2011 my fail safe http://www.kaspersky.com/antivirus-removal-tool-register Link to comment Share on other sites More sharing options...
HawkMan Posted December 31, 2011 Share Posted December 31, 2011 proxy/dns settings on router ? and do what budman said. Link to comment Share on other sites More sharing options...
techbeck Posted December 31, 2011 Share Posted December 31, 2011 Try Superantispyware as well. I have found this program detects more/different things that Malwaybytes and is also Free. NEver mind, see you already tried that. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 <snip> what does a nslookup or dig show for www.google.com? ; <<>> DiG 9.8.1-P1 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37694 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 18708 IN CNAME www.l.google.com. www.l.google.com. 115 IN A 74.125.225.116 www.l.google.com. 115 IN A 74.125.225.112 www.l.google.com. 115 IN A 74.125.225.113 www.l.google.com. 115 IN A 74.125.225.114 www.l.google.com. 115 IN A 74.125.225.115 ;; Query time: 14 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Sat Dec 31 07:44:46 2011 ;; MSG SIZE rcvd: 132 <snip> No idea what either are but I believe this may be what you mean by 'nslookup': C:\Users\Elliot>nslookup www.google.com Server: UnKnown Address: 192.168.0.1 Non-authoritative answer: Name: www.l.google.com Addresses: 173.194.66.106 173.194.66.147 173.194.66.99 173.194.66.103 173.194.66.104 173.194.66.105 Aliases: www.google.com On IE, untick 'automatically detect' and on FF switch to 'No proxy'. Didn't fix it :( my fail safe http://www.kaspersky...l-tool-register "No threats detected." proxy/dns settings on router ? Malware can do that...? Link to comment Share on other sites More sharing options...
rkenshin Posted December 31, 2011 Share Posted December 31, 2011 I found this this morning for you...check out the entire article, if you haven't already: http://www.tech-faq....rom-google.html One suggestion is that it might be hooked onto the MBR and that you might need to use the FixMBR function in the Windows Recovery Console. Elliot B. 1 Share Link to comment Share on other sites More sharing options...
Elliot B. Posted December 31, 2011 Author Share Posted December 31, 2011 I found this this morning for you...check out the entire article, if you haven't already: http://www.tech-faq....rom-google.html One suggestion is that it might be hooked onto the MBR and that you might need to use the FixMBR function in the Windows Recovery Console. Nothing worked :( Also, the Windows Security Center service is no longer able to start (another issue I haven't been able to solve). Link to comment Share on other sites More sharing options...
Recommended Posts