Home
High
Med
Low
AWA
ASA
News
Google Forum

Double Your Adwords Profits in 7 minutes!

Tools

$7 Secrets
People are making thousands of dollars using the techniques and scripts included with this popular report. And it costs only $7! [Read more...]

AdWords Secrets
Free 5-day course that can help you make money using Google AdWords.

Articles for 25 Cents Each
Get 400 exact keyword optimized articles, delivered to your inbox, every month. A new and inexpensive way to build keyword rich web sites that can make money, month after month.

Trade Links with 5,000+ Sites
This is not an automated link system. The Add URL Directory is a directory that lists over 5,000 "add url" pages that have forms that you can use to add your site and exchange links. The directory is divided into categories, helping you find sites in your topic area.

Backlink Analyzer
Automatically analyze the anchor text of all of your backlinks. Analyze your competitors' backlinks to see how you compare in the anchor text department.

SEO Web Site Templates
Web site templates that have been designed specifically for search engine optimization (SEO).




My sponsered child, Hama from Niger, Africa
A portion of the proceeds from this site help sponsor Hama from Niger. Learn more about Child Sponsorship.

Widespread hijacking of Google.com



العربيه

Author Message
Mark







PostPosted: September 26, 2003 9:42 PM 

Importance: High

This message is not related to a quote from GoogleGuy

I haven't seen this posted in the forums, so GoogleGuy hasn't commented on it. But several people have reported this problem in discussions on this site, so I wanted to spread the word.

Many people are reporting that when they try to access Google.com, or other search engines - they are not arriving at the Google home page. Instead, they are redirected to a plain text page asking "Are to you trying to get to Google?" or "Are you looking for a search engine?". The page then explained that a malicious program had infectedf their computer and modified their HOSTS file, causing Google.com and other domains to resolve to http://64.191.95.139/. Based on the intial reports, the message seemed like it might be written by Google, trying to help people get back to Google. In fact, I first thought that the Google Toolbar might be tracking the URLs and IPs, which caused the explanation page to be displayed - I now believe this to be incorrect. "Scumware" programs like this have been around for some time, becoming more prevalent of late. But they are usually somewhat subtle, displaying a fake Google home page with banner and other ads. Many even redirected the search results to real Google domains. The idea is that "if the victim believes that Google simply changed the look of the home page, then they won't seek out a fix for the problem". This particular case seems unique for two reasons: 1) Instead of a fake Google with banners and pop-ups, a page correctly indentifying the cause of the problem and a way to fix it, and 2) It seems to have spread rapidly, with many reports since in was first observed on September 24.

Now, the page at http://64.191.95.139/ has been shortened, presumably due to massive amounts of traffic. Instead of a long page with explanations, the page points to a forum thread on another site. The thread contained the same useful information about how to fix the problem. Of course, now the forum site came under heavy burden, with over 2000 concurrent connections at one point. To reduce the load the forum site put up a plain text page in place of the original thread - the new page provides an explanation and instructions to fix the problem.

My Theory:

The page at http://64.191.95.139/ was written by the creator of the malicious program, not by Google. I believe the creator of the program does not have a profit motive, as most "hijackers" do. I believe this person is more like the hacker who creates a virus for the sole purpose of exposing the security hole in Microsoft software - with no intent to wipe out hard drives, etc. I believe the program writer was trying raise awareness about the hijacking of domains through modification of the HOSTS file. The program seems to have spread fast - neither AdAware nor SpyBot seem to check for it (yet). And because it doesn't fool anybody with a fake Google home page, it has been successful about generating more awareness and discussion.

Read more in the following discussions of this site:

Spyware presents fake Google home page?
Google not working?
Comcast Customers can't reach Google.com

Chris Bouey

Posts: 1

Reply: 1



PostPosted: September 27, 2003 11:56 AM 

So how do you get rid of this thing?

Mark Carey

Posts: 34

Reply: 2



PostPosted: September 27, 2003 2:56 PM 

The forum site mentioned above states the follow, with regard to removing the program:

The final step is to try to remove this program that is hijacking your hosts file. As of 10:00 AM September 25 there is no program that will just remove the malicious program yet. In the mean time, download Spybot Search & Destroy by clicking here. Once you have the program installed, open SpyBot and select the "immunize" icon on the left and then check the box "lock hosts file read-only as protection against hijackers". This will stop the program from modifying your "hosts" file again.

I haven't read anywhere about a real fixc to remove the program. In fact I haven't yet read anything that suggests that anyone knows what the program is and where it lives on your system.

zingwong

Posts: 2

Reply: 3



PostPosted: October 2, 2003 7:01 PM 

I need help!

All right, I got that "Are you looking for Google?" webpage about a week ago, downloaded Spybot, cleared up my hosts file and everything worked fine. I go to go to Yahoo.com yesterday but it says page not found. I go to Google.com and it says "Are you looking for Google?" I go to lycos.com and it says "Are you looking for a server?"

Well, I accidentally deleted EVERY file from that notepad thing (where it has hosts, imhosts, network, etc.) So I try Spybot and that got rid of some stuff. Thing is, I'm connected to the Internet but can't go to any webpages while using my laptop (I'm using someone else's right now). Any way on how to fix this? I thought copying the hosts, imhosts etc files from this laptop to mine might help but I'm having no luck! Spybot can't find this thing and I thought I should be able to surf the 'Net by now. What do I do?

hostsFile

Posts: 1

Reply: 4



PostPosted: October 3, 2003 12:17 PM 

I encountered this yesterday. You can copy a valid file from another computer, or you can just add this to the hosts file:
127.0.0.1 localhost

This is the only thing you need in the file. Make sure you don't save the file as hosts.txt. Well... I actually had to save it first as host.txt and then delete the orignal and rename host.txt to hosts. I tried saving it directly but it wouldn't replace it even though I told it to. You can see what your mileage is on that.

I only messed witht the hosts file found in C/Windows/system32/drivers/etc (or something like that.. I'm at my mac now)

I also found a site... don't remember what it is... that suggested disabling Active X in internet explorer security settings. I didn't disable it, because that will break lots of things like Windows Update, but I did tell it to prompt me.
As soon as you have replace the file, restart. If you go back to the "Are to you trying to get to Google?" page, it replaces the host file again.

Scotty

Posts: 1

Reply: 5



PostPosted: October 3, 2003 8:29 PM 

I have also been pained by this PIA virus. Even after deleting all hosts entries and running NAV with current updates the problem persisted. I found a program called hijack this and in 2 minutes the problems was gone.
http://www.tomcoyote.org/hjt/
ADIOS!

Paul

Posts: 2

Reply: 6



PostPosted: October 6, 2003 5:14 PM 

I have had this hijacking happen to me not once, but twice. On the first occasion I deleted my hosts file and installed spybot. However, I somehow have this program again. It does the old "Are You Looking For Google?" stuff that it did before. However, I can't figure out how to get rid of it a second time. It's affecting my laptop so that I can't connect to any webpages at all (yahoo.com, lycos.com, google.com, webcrawler, etc.). I would really like some help with this. HOW DO YOU GET RID OF THIS THING A SECOND TIME? Someone told me I should make a backup disk of the information on my laptop, reinstall Windows XP, and then everything will be fine. I think that sounds risky so I'll wait to see what anyone here has to say.

Mark Carey

Posts: 34

Reply: 7



PostPosted: October 6, 2003 5:30 PM 

1) Search your hard drive for files named "hosts". (You may find some in unexpected locations)

2) Delete all search engine entries from each.

3) Follow the instructions to remove QHOSTS at http://securityresponse.symantec.com/ avcenter/venc/data/trojan.qhosts.html

Paul L

Posts: 2

Reply: 8



PostPosted: October 6, 2003 8:14 PM 

Thanks. I'll give that a shot.

Bruce

Posts: 1

Reply: 9



PostPosted: October 6, 2003 9:16 PM 

I've been having a problem getting on to google, altavista, and hotbot since friday. My DNS settings have nothing in them and I have downloaded the removal tool from symantec for the Qhost virus. Symantec's removal tool didn't detect it and I still can't load these search engines. Any help in finding an answer would be greatly appreciated.

Ginsoakedboy

Posts: 1

Reply: 10



PostPosted: October 7, 2003 5:13 PM 

Thanks all!

My problem for the last week has been slightly different. All major search engines returned a "Page unavailable" msg.

I'd never heard of a HOSTS file until tonight, but on finding and opening the little bugger, it was full of references to almost every search engine in the world...not just google, but lycos, yahoo etc.

Replacing this with a blank file has, at least temporarily, solved our problems. Google is back up and running.

Hope that helps!

GSB

peter

Posts: 1

Reply: 11



PostPosted: October 13, 2003 10:05 AM 

Well, I just started to see the "Are you trying to reach google?" page on my laptop, and after reading the above, I am confused.

What is the best to do here? Go to tomcoyote, symantec or spybot?

DOes anyone know which will work best, without causing damage. I have little knowledge about computers, so which would be the most complete and easy to follow?

thanks and peace,

Peter

Jennifer

Posts: no

Reply: 12



PostPosted: October 15, 2003 2:21 AM 

I had this problem, too, for about a week or so and I was very confused. I tried the suggestion on symantec and it didn't work. So, then I tried the suggestion above to find "hosts" files on my hard drive and delete all entries related to search engines and I can now visit google.com without a problem. Is there anymore insight as to what caused the problem? Thanks.

Nicke

Posts: 4

Reply: 13



PostPosted: December 12, 2003 5:36 PM 

To ginsoakedboy:

Hosts files is like the DNS, Windows look into your local host file before asking the DNS about domain name IP addresses and this how these programs hijack domains.

Austin

Posts: 1

Reply: 14



PostPosted: December 17, 2003 1:50 AM 

i have encountered another sort of Google hijack. Everytime i enter a search query it gives me something like this: http://www.pimp-productions.com/austin/google.jpg
the first page of results gives 'links' to other pages which are most likely under the control of the persons who created the program which is doing this. when i click on the second page of results it sends me back to the first real page. it does not do this in Opera, though, and the window freezes up for a second when the search is first started. this is very frusterating. i have run Spybot and Adaware to death, and it isnt doing anything. please, PLEASE help.

-Austin



Posts: no

Reply: 15



PostPosted: December 29, 2003 11:34 AM 

I have a question for you do you ever get "GLOBAL DIALER" if so how do you get rid of it?

Pat

Posts: no

Reply: 16



PostPosted: December 29, 2003 11:34 AM 

I have a question for you do you ever get "GLOBAL DIALER" if so how do you get rid of it?

Pat

Posts: no

Reply: 17



PostPosted: December 29, 2003 11:35 AM 

I have a question for you do you ever get "GLOBAL DIALER" if so how do you get rid of it?

Mark Carey

Posts: no

Reply: 18



PostPosted: December 29, 2003 11:57 AM 

Try this.

SUZIE

Posts: 1

Reply: 19



PostPosted: January 21, 2004 8:12 AM 

i AM ALSO HAVING PROBLEMS WITH THE GLOBAL DIALER.
i CAN'T GET ON TO ANY SITES, I HAVE EVEN TRIED TO DOWNLOAD NORTON, WHEN I GO TO MY E-MAIL FOR INSTUCTION ON DNLD WHATEVER OTHER VIRUSES OR WHATEVER THEY ARE IS NOT ALLOWING ME TO GO TO THE DOWNLOAD SITE AND MY COMPUTER FREEZES UP.AFTER I PULL IT BACK UP I HAVE ABOUT 7 OR 8 PORNO SITE

Mafia

Posts: 1

Reply: 20



PostPosted: May 27, 2004 9:06 AM 

I FIXED THIS PROBLEM YESTERDAY

1)Google CWShredder.exe (download)

2) Empty all temp folders

a) (c:\doc&set\%userprofile\Local settings\temp)

b) (c:\doc&set\%userprofile\Local settings\temporary internet files and all subfolers, ie content.IEX)

c) (c:\winnt\temp, c:\windows\temp)

d) (did I miss any?)

3) Close all Browsers of all kinds

4) Run Spybot or Adware 6

5) REMOVE ALL

6) Run CWShredder

7) Reboot (DO NOT OPEN A WEB BROWSER)

8) Thank me!!

The problem happens because the FAKE GOOGLE runs a script that reinstalls an infected file everytime you open it. CWShredder helps rewrite a certain file (haven't figure out which one) that fakes www.google.com (as well as others)

Good Luck!

Daryl

Posts: 1

Reply: 21



PostPosted: August 15, 2004 7:51 AM 

You have a sponsored link noadaware.net
when I downloaded this then checked it with Adaware 6 (free download) it showed that nowadaware is in fact a spyware programme itself. I uninstalled it accordingly.



Posts: no

Reply: 22



PostPosted: April 4, 2005 3:41 PM 

:blush: :blush: etttyy



Posts: no

Reply: 23



PostPosted: April 4, 2005 3:41 PM 

:blush: :blush: etttyy



Posts: no

Reply: 24



PostPosted: April 4, 2005 3:41 PM 

:blush: :blush: etttyy


Subscribe to this discussion: Email

Join the conversation:









Remember personal info?





Check to Subscribe to this Comment:
(email field must be filled in)



Subscribe Without Commenting