PDA

View Full Version : 1st two results always ads for google



DarrelB
2006-11-11, 20:42
Hi,

Whenever I do a google search, and then click on a link, the first two times I do will be some random webpage. It will then go to the correct link the third time.

It is consistent behavior and always two random pages then fine.

I have run the latest spybot as well a Defender and nothing is found.

Any ideas?

Yodama
2006-11-13, 09:57
hello DarrelB,

we need more information on this to make an analysis.
For instance which webrowser are you using and which operating system and so on. Do you remember when this behaviour first appeared? Did you install anything or did anyone else use your computer?

Some of these question can be answered by submitting a Spybot report.
You can get a Spybo report, if you switch Spybot into advanced mode (see Mode), then click on "Tools", and then "View Report". There confirm that the checkboxes are checked and click on the green button with the arrow labeled "View report" . Export the report to a text file and attach it to your next post.

If possible also submit some screenshots of the ad redirection within your googlesearch.

DarrelB
2006-11-13, 19:28
Thank you for your reply. I will run that report tonight (problem is with my home computer).

What I do know is:
I am running XP Home Edition with latest updates.
I am using IE (latest version before 7)

I have a feeling it may have got me when I loaded a codec to view a movie from youtube. I only say thins because I have 3 computers networked at home and none of the other are infected. I also am very careful about going to sites which are usspicious and installing a codec is something I know can come back to bite you but I run NAV Enterprise edition and always have fileprotection up to date and running so assumed I was at least mostly protected.

I will post the results of the log file as soon as I can run it.

The redirection is real fast and had to SS. I know it goes to an ipaddress starting with 85.255. I did manage to catch the address and write it down, and a searcg on the interent does not show the address as a hit for anything giving me the impression it is blacklisted, always a bad sign.

The closest I can come is another post here referencing searchesengine. IT is like that. My borwser is hijacked and redirected to random sites but only the 1st two times.

I booted to safe mode and ran SpyBot, SpyDoctor, NAV, Ewido and one other and got clean results. Rebooted to normal mode and the redirect is still present.

I have deleted my temp internet files, temp files, turned off Restore, deleted the temp files from my login Local Settings, edited the registry to remove any DHCPNAME Server references...damn thing is persistent.

DarrelB
2006-11-14, 06:08
ok. The report is 200kb and I am only allowed 19kb. Is there a particular section I can cut out and attach?

DarrelB
2006-11-14, 06:21
One other thing. The site it is redirecting me to is 85.255.116.222.

I have run the ulitmate boot cd using all the malware and anti-virus tools and still no go for a fix. I am dreading a complete wipe and re-install so any help would be appreciated!

DarrelB
2006-11-14, 07:25
hello DarrelB,

we need more information on this to make an analysis.
For instance which webrowser are you using and which operating system and so on. Do you remember when this behaviour first appeared? Did you install anything or did anyone else use your computer?

Some of these question can be answered by submitting a Spybot report.
You can get a Spybo report, if you switch Spybot into advanced mode (see Mode), then click on "Tools", and then "View Report". There confirm that the checkboxes are checked and click on the green button with the arrow labeled "View report" . Export the report to a text file and attach it to your next post.

If possible also submit some screenshots of the ad redirection within your googlesearch.

It should be noted that it only happens with IE. Firefox works fine and seem sto ignore the infestation. I d/l a trial version of RemoveIt Pro which supposedly found something called Sys32.alcxmntr but would only clean it if I upgraded to the non-trial version.

I am a little suspicious because if you remove the Sys32. it is the name of my realtek driver and a search of the web did not find one mention of sys32.alcxmntr so it smells of rats.

bastienb
2006-11-24, 20:37
Hi,

I have the same problem on a friend computer. Each google search are redirected to this IP address (only first click on the result).

There are no strange software installed, I have installed F-Prot BETA 6 and Spybot with full updated and resident activated but the problem is not fixed.

Did you revolved the problem ?
I have uninstall all Yahoo, Adobe and Google toolbar for IE.

The problem does not appears with Google search with Firefox.

okibilir
2006-11-26, 20:11
Hi, Darrel
I have had exactly the same problem for the last two weeks. Whenever I click on a site listed by Google, it matters not what the subject is, I get a dropdown window from the Spyware Doctor program that this site,
85.255.116.222, is dangerous and do I want to continue.
After trying umpteen programs without success I sent Spyware Doctor data on my computer, through tools>malware detective, and am now hoping their Level 2 can come up with a solution.
Have you had any success? If affirmative, I would be grateful for your input.

tashi
2006-11-26, 21:03
Hello everyone.


IP address: 85.255.116.222
Reverse DNS: 85.255.116.222-xbox.dedi.inhoster.com.
Reverse DNS authenticity: [Could be forged: hostname 85.255.116.222-xbox.dedi.inhoster.com. does not exist]
ASN: 27595
ASN Name: INTERCAGE
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): BY
Country Currency: Unknown
Country IP Range: 85.255.112.0 to 85.255.127.255
Country fraud profile: High
City (per outside source): Kharkiv, Kharkivs'Ka Oblast'
Country (per outside source): UA [Ukraine]

If you would like to post a Spybot S&D log so that we can check the System please do the following:

Spybot-S&D version 1.4
Version 1.4 :Systems Supported (http://www.safer-networking.org/en/spybotsd/index.html )

Close all browsers
Open SpyBot, check for and get any updates available
Check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom [b]except

Uncheck[ ] do not report disabled or known legitimate Items.
Uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select (near the top) view report.
Click export and in the 'save in' box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

If you cannot attach the Spybot-S&D log take as many posts as needed, however the instructions given usually produce manageable logs.

Or:
Follow the instructions in this sticky topic to post a HJT log in malware removal.
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the malware forum and copy/paste the HJT log into the topic:
Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Cheers.