Is Google messing up or am I infected with spyware?

Dustin Kesselberg

Illuminator
D
Joined
Nov 30, 2004
Messages
4,669
Whenever I enter a search term on google and click on the website, It always leads me to another website or search engine. For instance if I type in "On The Issues Mike Gravel" on google search

http://www.google.com/search?hl=en&q=On+the+Issues+Mike+Gravel&btnG=Google+Search


Then I click on the first website listed, here, it takes me somewhere totally different. It takes me here:

http://www.uncoverthenet.com/search/?q=on+the+issues+mike+gravel


Does anyone know what this could be or how to fix it?
 
I assume you are using a computer with a Microsoft operating system. It sounds as though your DNS client has been reconfigured without your consent.

When a friend had a similar problem I discovered that some malware had changed a registry setting such that instead of using the DNS server provided by his ISP, his computer was contacting a Russian IP address for DNS resolution, and that Russian server was always returning its own IP address for each domain name lookup. This criminal enterprise was in effect acting as a proxy server, allowing the criminals responsible to intercept all of his network traffic and harvest whatever might be useful in further criminal activity.

I determined that his computer was infected by having him execute a DNS lookup request from a command prompt for several domains, in each case the server used and the resolved IP address were the same.

Go to a command prompt and type "nslookup randi.org", then post all of the information that is returned. You might also be well advised to install and run a program called Hijack This.

When my friend tried to remove this malware from his Windows XP computer he encountered great difficulty. Finally he asked me if this sort of malware problem would be less likely to occur if he bought a Mac. I said yes, and he is now very pleased with his iMac.

To minimize the risk of your computer automatically installing malicious software I suggest these strategies:

  • Do not use a Microsoft operating system
  • If you must use Windows, do not use Internet Explorer
  • If you must use Windows do not use Outlook or Outlook Express
  • If you must use Windows always install every critical update
  • If you must use Windows always run anti-virus software
  • If you must use Windows frequently run anti-spyware software
 
Stephen is right, Dustin. I clicky clicky your links and I got the real results, not the spam you got.

Your computer is infested with some malware. Be careful, do not enter passwords and stuff like that while this malware is running.
 
You might want to check the file "\windows\system32\drivers\etc\hosts". It can contain entries that will direct you to incorrect sites. Pretty simple to fix if that is the case.
 
I'm using Windows XP and I use Firefox. Does anyone here know of any good free antivirus or anti-spyware or malware programs? If so please post them. Thanks.
 
Dustin Kesselberg said:
What do I change in it?
Click to expand...

If you'd like to post the contents I'll take a look. You're looking for entries in this file that map fraudulent IP Addresses to domain names. If you see a lot of entries here, there may be a problem. You may also have a file called lmhosts in the same directory.

I think your problem is more with malicious software as Stephen first posted.
 
There is a current trojan horse program that modifies your DNS server address to point to a deviant DNS server. Any site you try to reach could be a spoofed site intending to steal your passwords or fool you into downloading more malware. You must use a non-infected machine to download the anti-virus software. If possible, find scan and repair software that runs by booting from a CD or DVD otherwise the malware could interfere with the scan. I don't use a PC so I can't help with the details.
 
Yeah, I was just reading about how a bunch of MySpace pages are infected with this kind of malware. Alicia Keys' page was hit more than once.
 
Dustin Kesselberg said:
What do I change in it?
Click to expand...
Ah, sorry, usually there are comments in the file explaining how the file works.

It's just a list of IP addresses and domain names (like google.com). Basically it is a way for you to override the IP address for any web site you like. For most people the file is empty of everything except comments (lines beginning with #).

Did you find the file and does it mention google.com, yahoo.com or anything else you recognize as a web site?
 
Last edited:
Dustin, for the hosts file, you actually don't need it at all. To be on the safe side and in case it is not the culprit anyway, just go into the Windows folder and rename the file currently named "hosts" something else (preferably something you can remember!) such as "hostsx." The file will now no longer intercept DNS requests. If there's no change, and you had a custom hosts file, you can rename it back at leisure.

If something has changed your DNS server addresses, you might be able to recover function manually. Find "my network places" on your desktop, right click it and choose "properties." A window will open showing all the connections that have been set up on your computer. find the one that is now open and in use, put your mouse on it, and right click again, and again choose "properties." You should now be presented with a dialog box showing various settings for various things. Select "Internet Protocol" ant click on the "properties" button below. This should bring up another box in which you can specify whether or not your local server supplies you with an IP address, and whether it supplies you automatically with DNS server addresses. If you see server addresses filled in, and the box is checked to use them, uncheck that box and check "obtain DNS server address automatically." Most internet providers do this, and it's rare to have to specify a server unless you have some pet server, or problems with the local ones timing out.

None if this may work if the malware is embedded in your computer in a way that allows it to reinstall its nastiness every time you undo it. For that you'll need a spyware removal program as recommended below. Some of those things can be really vicious and tenacious. Good luck.
 
There is a fairly substantial rumor that similar malware exists for a Mac. If you somehow follow a link to some particular porn sites you get presented with a dialog that you need to download new software to view the candy. After downloading the trojan you are given another dialog by the system to confirm you want to install this potentially malicious software. Once the trojan gets control it redirects DNS queries to the bogus server. It also creates a recurrent task to insure this hack stays in place.

Sorry, I don't have a link to the particular porn sites or I would have checked this out further. :)

There is nothing magical about OS X that prevents trojan malware. It just takes a bit of social engineering to convince the user that they want to run the program. Until now though, the people who program for OS X haven't sunk so low. I think it has something to do with the positive environment the programers find themselves in.

But I guess the mystique of a virus free OS these days is too much for some hackers to ignore. And getting started in the development systems has become too easy allowing the hackers to port their wares before becoming infected themselves by the beauty of programming for this OS.
 
Dustin Kesselberg said:
Does anyone know what this could be or how to fix it?
Click to expand...

You have been infected with with a very difficult type of malware to clean if you had to do it yourself. Cheer up, we live on a planet where some people do god's work. Click on this http://www.castlecops.com/c3-Malware_Cleanup.html follow their directions and if after running the "highjackthis" software and your registery is still infected and you need personal guidance they will personally help you. That naughty nurses site wasn't as free as they said ;)
 
You must log in or register to reply here.

Back
Top Bottom