Widespread hijacking of Google.com

So how do you get rid of this thing?

The forum site mentioned above states the follow, with regard to removing the program:

The final step is to try to remove this program that is hijacking your “hosts” file. As of 10:00 AM September 25 there is no program that will just remove the malicious program yet. In the mean time, download Spybot Search & Destroy by clicking here. Once you have the program installed, open SpyBot and select the "immunize" icon on the left and then check the box "lock hosts file read-only as protection against hijackers". This will stop the program from modifying your "hosts" file again.

I haven't read anywhere about a real fixc to remove the program. In fact I haven't yet read anything that suggests that anyone knows what the program is and where it lives on your system.

I need help!

All right, I got that "Are you looking for Google?" webpage about a week ago, downloaded Spybot, cleared up my hosts file and everything worked fine. I go to go to Yahoo.com yesterday but it says page not found. I go to Google.com and it says "Are you looking for Google?" I go to lycos.com and it says "Are you looking for a server?"

Well, I accidentally deleted EVERY file from that notepad thing (where it has hosts, imhosts, network, etc.) So I try Spybot and that got rid of some stuff. Thing is, I'm connected to the Internet but can't go to any webpages while using my laptop (I'm using someone else's right now). Any way on how to fix this? I thought copying the hosts, imhosts etc files from this laptop to mine might help but I'm having no luck! Spybot can't find this thing and I thought I should be able to surf the 'Net by now. What do I do?

I encountered this yesterday. You can copy a valid file from another computer, or you can just add this to the hosts file:
127.0.0.1 localhost

This is the only thing you need in the file. Make sure you don't save the file as hosts.txt. Well... I actually had to save it first as host.txt and then delete the orignal and rename host.txt to hosts. I tried saving it directly but it wouldn't replace it even though I told it to. You can see what your mileage is on that.

I only messed witht the hosts file found in C/Windows/system32/drivers/etc (or something like that.. I'm at my mac now)

I also found a site... don't remember what it is... that suggested disabling Active X in internet explorer security settings. I didn't disable it, because that will break lots of things like Windows Update, but I did tell it to prompt me.
As soon as you have replace the file, restart. If you go back to the "Are to you trying to get to Google?" page, it replaces the host file again.

I have also been pained by this PIA virus. Even after deleting all hosts entries and running NAV with current updates the problem persisted. I found a program called hijack this and in 2 minutes the problems was gone.
http://www.tomcoyote.org/hjt/
ADIOS!

I have had this hijacking happen to me not once, but twice. On the first occasion I deleted my hosts file and installed spybot. However, I somehow have this program again. It does the old "Are You Looking For Google?" stuff that it did before. However, I can't figure out how to get rid of it a second time. It's affecting my laptop so that I can't connect to any webpages at all (yahoo.com, lycos.com, google.com, webcrawler, etc.). I would really like some help with this. HOW DO YOU GET RID OF THIS THING A SECOND TIME? Someone told me I should make a backup disk of the information on my laptop, reinstall Windows XP, and then everything will be fine. I think that sounds risky so I'll wait to see what anyone here has to say.

1) Search your hard drive for files named "hosts". (You may find some in unexpected locations)

2) Delete all search engine entries from each.

3) Follow the instructions to remove QHOSTS at http://securityresponse.symantec.com/ avcenter/venc/data/trojan.qhosts.html

Thanks. I'll give that a shot.

I've been having a problem getting on to google, altavista, and hotbot since friday. My DNS settings have nothing in them and I have downloaded the removal tool from symantec for the Qhost virus. Symantec's removal tool didn't detect it and I still can't load these search engines. Any help in finding an answer would be greatly appreciated.

Thanks all!

My problem for the last week has been slightly different. All major search engines returned a "Page unavailable" msg.

I'd never heard of a HOSTS file until tonight, but on finding and opening the little bugger, it was full of references to almost every search engine in the world...not just google, but lycos, yahoo etc.

Replacing this with a blank file has, at least temporarily, solved our problems. Google is back up and running.

Hope that helps!

GSB

Well, I just started to see the "Are you trying to reach google?" page on my laptop, and after reading the above, I am confused.

What is the best to do here? Go to tomcoyote, symantec or spybot?

DOes anyone know which will work best, without causing damage. I have little knowledge about computers, so which would be the most complete and easy to follow?

thanks and peace,

Peter

I had this problem, too, for about a week or so and I was very confused. I tried the suggestion on symantec and it didn't work. So, then I tried the suggestion above to find "hosts" files on my hard drive and delete all entries related to search engines and I can now visit google.com without a problem. Is there anymore insight as to what caused the problem? Thanks.

To ginsoakedboy:

Hosts files is like the DNS, Windows look into your local host file before asking the DNS about domain name IP addresses and this how these programs hijack domains.

i have encountered another sort of Google hijack. Everytime i enter a search query it gives me something like this: http://www.pimp-productions.com/austin/google.jpg
the first page of results gives 'links' to other pages which are most likely under the control of the persons who created the program which is doing this. when i click on the second page of results it sends me back to the first real page. it does not do this in Opera, though, and the window freezes up for a second when the search is first started. this is very frusterating. i have run Spybot and Adaware to death, and it isnt doing anything. please, PLEASE help.

-Austin

I have a question for you do you ever get "GLOBAL DIALER" if so how do you get rid of it?

I have a question for you do you ever get "GLOBAL DIALER" if so how do you get rid of it?

I have a question for you do you ever get "GLOBAL DIALER" if so how do you get rid of it?

Try this.

i AM ALSO HAVING PROBLEMS WITH THE GLOBAL DIALER.
i CAN'T GET ON TO ANY SITES, I HAVE EVEN TRIED TO DOWNLOAD NORTON, WHEN I GO TO MY E-MAIL FOR INSTUCTION ON DNLD WHATEVER OTHER VIRUSES OR WHATEVER THEY ARE IS NOT ALLOWING ME TO GO TO THE DOWNLOAD SITE AND MY COMPUTER FREEZES UP.AFTER I PULL IT BACK UP I HAVE ABOUT 7 OR 8 PORNO SITE

I FIXED THIS PROBLEM YESTERDAY

1)Google CWShredder.exe (download)

2) Empty all temp folders

a) (c:\doc&set\%userprofile\Local settings\temp)

b) (c:\doc&set\%userprofile\Local settings\temporary internet files and all subfolers, ie content.IEX)

c) (c:\winnt\temp, c:\windows\temp)

d) (did I miss any?)

3) Close all Browsers of all kinds

4) Run Spybot or Adware 6

5) REMOVE ALL

6) Run CWShredder

7) Reboot (DO NOT OPEN A WEB BROWSER)

8) Thank me!!

The problem happens because the FAKE GOOGLE runs a script that reinstalls an infected file everytime you open it. CWShredder helps rewrite a certain file (haven't figure out which one) that fakes www.google.com (as well as others)

Good Luck!

You have a sponsored link noadaware.net
when I downloaded this then checked it with Adaware 6 (free download) it showed that nowadaware is in fact a spyware programme itself. I uninstalled it accordingly.

:blush: :blush: etttyy

:blush: :blush: etttyy

:blush: :blush: etttyy