|
12 Feb 09 - 04:36 PM (#2565297) Subject: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow I assume it must be some kind of Malware, but I've just done a full scan with AVG, and nothing shows up. It's just cropped up today, and it happens on Firefox (which I normally use) and on Opera (which I use quite often), but not on Internet Explorer (which I hardly ever use). When I try a search on Google, it takes ages to load (over 20 seconds, whereas normally it comes in a flash). When it does and I type in a search, the ordinary kind of list of answers all appear - but all the addresses are to adverts. So for example if I type in Mudcat, the address which it brings up is something called "www.monstermarketplace.com/ " Even more puzzling - when I opened up Firefox in a different account on the same machine, it still had this enormous delay before opening up, but then opened up with the right addresses. But back on the previous account the same problem, I still gett these strange and unwelcome addresses. I've tried searching around on the net for advice, and it appears that it's a problem other people have had. But I couldn't find anywhere where the advice give was comprehensible. I use Windows XP and have a pretty good broadband connection through Virgin Media cable. Any comments or suggestions? |
|
12 Feb 09 - 04:56 PM (#2565307) Subject: RE: Tech: Google results hi-jacked on Firefox From: Joe Offer I came across this thing a few weeks ago, Kevin, and it's nasty. It was on the computer of a friend of a friend of a friend, and I didn't want to go through the hassle of dealing with it. What happened is that you somehow downloaded a worm that installed a program that intercepts the URLs you enter into your Internet browser. When you got to certain Websites (usually search Websites), it redirects you to a search engine that sends you to commercial sites that may be related to your search. Removing it is a real hassle, involving a number of registry changes. If it's at all possible, the easier solution is to save your data, and reinstall Windows. Best of luck - you have a nasty problem with no simple solution. -Joe- |
|
12 Feb 09 - 05:34 PM (#2565335) Subject: RE: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow I rather had the feeling I might be driven to that. What puzzles me is why the worm only seems to operate on one account and not on another, on the same computer, using the same browser. Fortunately I've got a good external hard drive for saving data. The hassle is reinstalling all the other programs I use. Still, after a reinstall everything runs much better for a while, till I clog up the system again... Here's Les Barker's ditty on the subject of Reinstalling Windows (can be sung to George Formby's When I'm Cleaning Windows. ^^ I bought a computer, It cost a thousand pound; But every time I switch it on It keeps on falling down. I used to think it was my friend But now it drives me 'round the bend; You'd be surprised the time I spend Reinstalling Windows. I switch it on; what is this? Something wrong with "config.sys" This isn't my idea of bliss, Reinstalling Windows. I want to share my printers And I want to share my files, I want to share my anger 'cos It drives me bloomin' wild. My songs, they say, can be sublime I've conquered cadence, mastered rhyme But, nowadays, I spend my time Reinstalling Windows Reinstall, oh what fun! It says it helps you get things done; Every day now everyone's Reinstalling Windows. Look again, it will say All you do is "plug and play" Why do I spend every day? Reinstalling Windows It can't find my printer And it can't locate my mouse; The other day it told me that They were in another house. Still unplugged, still unplayed, I e-mailed God in search of aid; He's far too busy, I'm afraid Reinstalling Windows. Up at dawn for one more try; Does it work? Can pigs fly? How do I expect to die? Reinstalling Windows. I used to like a drink or three; No time now, don't call for me; I'm going to spend eternity Reinstalling Windows. |
|
12 Feb 09 - 05:51 PM (#2565346) Subject: RE: Tech: Google results hi-jacked on Firefox From: RTim I just used Google with Firefox No Problems?? Tim Radford |
|
12 Feb 09 - 06:06 PM (#2565361) Subject: RE: Tech: Google results hi-jacked on Firefox From: Joe Offer Yeah, I don't get the difference with the other account - although I'm not quite sure what you mean. I think we're going to have to wait for John From Kansas for definitive information. On the computer I checked, a Google search was transferred to something called "Search7," I believe. Does this take you to a different search engine which then provides the commercial results, or what? -Joe- |
|
12 Feb 09 - 06:37 PM (#2565402) Subject: RE: Tech: Google results hi-jacked on Firefox From: MartinRyan Any reliable preventative measures? Regards |
|
12 Feb 09 - 07:45 PM (#2565469) Subject: RE: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow That's it - down the bottom on the left, while "Google" is loading it says waiting for 7.7.7.0.. "I'm not quite sure what you mean." What I mean about "accounts" is that I've got my computer set up so that when it opens there's a choice between my account, my wife's and one for visitors - that means that we don't accidentally mess up anything the other is doing, lose a bookmark or some document she's working on, and vice versa. We just generally use our own acount; and I also tend to use the Visitors account for running scans and downloading stuff. The problem occurs on Firefox on her account and on mine as well, but not on the Visitor one. On the other hand it doesn't happen on Internet Explorer on my account, and it does happen on Opera on the Visitor account. (I haven't checked about Opera or IE on the other accounts.) All very curious. I've been wondering whether a system restore to a couple of days ago might sort things out, and be less of a hassle than a Windows reinstall. But I suspect that that might not get rid of the worm, and I suspect a reinstall is looming. I'll hold off doing anything for a bit to see if someone comes up with a better option. |
|
12 Feb 09 - 07:51 PM (#2565475) Subject: RE: Tech: Google results hi-jacked on Firefox From: Jeri Arin says 7.7.7.0 is the DoD [Department of Defense, in the USA] Network Information Center. That would creep me out a little... |
|
12 Feb 09 - 08:19 PM (#2565491) Subject: RE: Tech: Google results hi-jacked on Firefox From: Malcolm Douglas I'd have thought that a search for "waiting for 7.7.7.0" would be the thing to try, then. Plenty of results. One example of many: http://kevinmcguire.blogspot.com/2009/01/waiting-for-7770-not-anymore.html But see also http://www.andydidyk.com/2009/01/04/7770-google-redirect-virus-alert/ for some important additional detail. I'm sure there's a great deal more to be found, but you can do that for yourself. Of course, you may have other infections too. Best read up on it all before deleting anything. Let us know how you get on. Reinstalls should be a last resort, though an awful lot of people panic and do them unnecessarily. |
|
12 Feb 09 - 09:01 PM (#2565512) Subject: RE: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow Brilliant Malcolm, thanks - I clicked on that first link you gave, and in a couple of minutes it solved it. Went to c://windows/system32/, looked for a file called wdmaud.sys - it wasn't there, but there were two called wdmaud, and one of them had a description "Miekiemoes rules", which looked pretty dodgy, so I deleted it and bingo, Google was back to normal in all the browsers I tried. Maybe in the morning I'll have a scout around and try to find out why this was all about. But I can go to bed not having to face up to a reinstall just yet. The Mudcat came through, as it generally does!! |
|
13 Feb 09 - 11:03 AM (#2565959) Subject: RE: Tech: Google results hi-jacked on Firefox From: Stilly River Sage I'm not sure if I'm seeing what you're describing, but I've noticed lately that some bizarre links are turning up in pages I've searched for, and when I click in the line I tried to search for I get a totally unrelated result in an advertising link. It's really odd. I haven't seen it lately, but I scan and keep my spyware up to date. I notice IE isn't terribly stable these days, crashing more easily and loading slowly. I figured I'd wait to the weekend and try to diagnose the problem. I just reloaded my Windows and I can't imagine trying to do something so radical as that again. Surely you can think of a few intermediate steps, like full frontal lobotomy (i.e., regedit). ;-D SRS |
|
13 Feb 09 - 11:44 AM (#2566012) Subject: RE: Tech: Google results hi-jacked on Firefox From: Stilly River Sage I've looked through my drivers in that location, and the only wdmaud in there is a file listed as a WDM Audio driver mapper, and the extension doesn't appear to be the same. I scanned it with Spybot and it says it is fine. A search through the C: drive finds six instances of the name "wdmaud" but without the sys extensions and they appear to have all arrived via Microsoft. When I click on this one in the system32 drivers, Spybot looks at it; all other instances ask where I want to extract the file (it is housed in different parts of Windows). If this is a Microsoft file that has been hijacked, maybe there's a knowledge base item about it. The original file name is WDMAUD.SYS and this one says it is release 5.1.2600.5512 (xpsp.080413-2108). I have to leave for a while, but I'll do a little more searching before I dump this file. SRS |
|
13 Feb 09 - 01:53 PM (#2566118) Subject: RE: Tech: Google results hi-jacked on Firefox From: Malcolm Douglas Don't do anything without reading both of the pages I linked to: there is important additional info in the second one. The "waiting for 7.7.7.0" message relates to one particular instance of wdmaud.sys which is typically a lot smaller than the others and may have the description "Miekiemoes rules" that McGrath noticed. The others are legit Windows files and should be left well alone unless you particularly want to lose sound on your machine. If you don't see a file extension, that will be because your machine is set by default to hide some kinds. This can be changed in the Folder Options dialog. Earlier forms of the worm or whatever you want to call it were tied to a different file and returned a different message ("waiting for 1.2.3.0" is one), so be sure to check the exact symptoms you are getting and search for any message, if different, via Google, before deleting anything. The chances are that SRS has a different infection from McGrath. The problem may recur, so keep checking for the underlying infection. There seem to be a number of variations on the theme and it's liable to take the various antivirus programs etc a while to catch up. As to the source, one suggestion is that the infection is transmitted via pdf files. |
|
13 Feb 09 - 02:27 PM (#2566134) Subject: RE: Tech: Google results hi-jacked on Firefox From: GUEST,.gargoyle You will find a discussion going on at this moment about the same problem and solution.
http://www.techspot.com/vb/topic121181.html
Sincerely, |
|
13 Feb 09 - 05:03 PM (#2566281) Subject: RE: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow Just looked through that techspot forum Gargoyle suggested, and my head is still spinning. The good thing with Mudcat is that here the tech stuff is secondary to the music. This means that so far as computer expertise is concerned nobody is trying to show off, and the people who do understand it generally take account of the fact that most of us don't really. It's great having Google back. "Don't it always seem to go That you don't know what you got till it's gone..." |
|
13 Feb 09 - 05:25 PM (#2566299) Subject: RE: Tech: Google results hi-jacked on Firefox From: treewind Good info here too. It turns out that "Miekemoes" is having his name taken in vain by the malware! Anahata |
|
13 Feb 09 - 05:37 PM (#2566312) Subject: RE: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow Having her name taken in vain it appears from this: Miekiemoes rules ?? Yeah right... This is about the Searchengine Hijack I blogged about a couple of months ago...Someone notified me yesterday about a version of Win32:Daonol which is a bit different than other versions. The malware author(s) decided to add "Miekiemoes rules" under file description in one of its versions. Again, another proof why not to believe what malware tells you. And that's the version I'd picked up somewhere. |
|
13 Feb 09 - 05:54 PM (#2566327) Subject: RE: Tech: Google results hi-jacked on Firefox From: Stilly River Sage Okay, I'm back, and I've had time to look around, reread the links above, and do a little testing. I'm still finding things to set up in my new computer configuration (the rebuild was about 5 weeks ago), and I hadn't gone in to expose all file extensions yet. That file I'm seeing is a driver, and appears to be a legitimate part of a program. I use Kerio firewall, AVG free and have all of it's settings in use, Spyware Blaster, and Spybot Search&Destroy. WinPatrol watches changes also. Lately AVG had been having difficulty contacting the server for a daily update, but I kept sending it through manually. Perhaps one of those manual settings finally caught the bug. I've kept all of these things up to date. The problem I saw a few times involved a page of search results acting oddly, redirecting links to ads and odd places. Words on the page were highlighted as hot links but if you moused over them they showed a dialog box with an unrelated ad, or a page would open from it if you lingered, I think. I have been using primarily FireFox and IE, and have tested both with the Google search and they're acting normally now. They were bonkers for maybe a day, and whichever browser it was, I think I closed it and switched to the other browser where I didn't have the problem. I notice that the AVG is behaving more aggressively now. I had previously not noticed it taking much time to check the link results in searches, but all of the little green check marks are appearing now. Perhaps AVG Link Scanner has rooted it out, or headed it off. I'll keep an eye out and if it recurs I'll look to see where the delay or redirect is. The browsers have been hanging a bit lately, and considering our much faster connection now, I wouldn't expect this to happen (or at least, not much). SRS |
|
13 Feb 09 - 06:29 PM (#2566347) Subject: RE: Tech: Google results hi-jacked on Firefox From: Stilly River Sage There are a couple of other tools to consider using here. I love Mike Lin's little program called Startup Control Panel. Find it at http://www.mlin.net/StartupCPL.shtml. It literally sets up in your control panel. Open Control Panel and look for the Startup computer icon. Poke around in there and see what has pushed to the front of the line when you boot up your computer. I don't like waiting for all sorts of programs to load, especially if I don't use them often. Yet Adobe, Real, Nero, and lots of other programs can and will try to put a quick launch icon in place. If you are running WinPatrol and make any changes, when you uncheck a box telling these programs NOT to load WinPatrol will pop up and ask if you want to make the registry change. The answer is Yes. Lots of stuff in that quick launch lineup means the computer starts slower. You'll see the path name for these programs and many include WINDOWS system32 locations. If you poke around in this program you'll want to know what you're looking at. DON'T JUST DELETE STUFF! I really like the site called BleepingComputer.com for finding out just what all of these little files are for. If you simply uncheck an item, it won't load. If you uncheck it and you later let it put itself back in the quick launch menu, then it will appear twice in Control Panel startup, one instance checked, one unchecked. You'll have to delete one instance of it before you can uncheck it again. SRS |
|
13 Feb 09 - 10:43 PM (#2566494) Subject: RE: Tech: Google results hi-jacked on Firefox From: JohnInKansas I don't have any info on the particular infections mentioned here, but a couple of comments of general nature may be worth tossing in. Most invasions similar to what I'm seeing in the descriptions are not "viral" and less sophisticated AV programs may not be able to find them. Malware distributors seem to have abandoned virus attempts and much of what people are getting are via methods more akin to "phishing" than to "virus" attacks. The "advantage" of the phishing method for the criminal is that the user is induced to click something and the click looks to your computer like you have asked to have something installed. Since "you are the master of your computer" if you said to do it the computer (and the AV system) must comply and install. The next step up with this kind of malware is bugging a web page so that merely opening the page triggers what looks, to the computer, like a request to have the download and installation so that you don't even have any visible indication that you've "clicked" anything even though the computer is told that you did. For full protection, or as full as one can get, to be really safe one needs an AV program of the basic kind to protect against actual virus attacks. Separately, one needs a privacy protection program like Ad Aware and Spybot to protect against "tracking" methods that might tell someone where you go and/or who you are. You can add in a popup blocker that prevents annoying trash from getting to your. Since the popup blocker sometimes blocks a popup that might offer a place to click to get a "phishing" bug, it gives some protection against this latest kind of attack; but since, as noted, there are methods other than popups used by newer malware it's more of an "inhibition" than a protection. The last step is the "phishing filter" program that warns you about possibly dangerous web pages, and gives a warning about anything downloading from them. Programs of the "basic AV" kind have variously incorporated some of the later protections, but especially with the more basic (esp. free) ones it can be difficult to tell exactly how many of the helpful "layers of protection" are included in what you've got, and whether you need to add separate programs to get the others. You can fairly easily "roll your own" to get all of the normal features, but then each separate program must be separately updated regularly and frequently, and you may have to "twiddle" settings in each program to get the several separate programs to play nice with each other. The alternative is an "Internet Protection Suite" that puts all the goodies in one package; but I don't know of a free one that has everything. John |
|
13 Feb 09 - 11:09 PM (#2566501) Subject: RE: Tech: Google results hi-jacked on Firefox From: JohnInKansas Generic comment #2: If you run WinXP or Vista, it's pretty much essential that you get Microsoft's security updates regularly, and getting them automatically is highly recommended. Many people were put off by problems with some earlier updates that caused difficulties for some people, but once you've got WinXP up to SP2, or Vista at any level, I haven't heard of any updates that have crashed a significant number of people. While automatic updates with automatic install of critical ones possibly does have some "risk factor," the offsetting argument is that for any problems with an update it likely will be very obvious where the problem came from. You won't need to go searching the web (very far) to identify it, and Microsoft support for problems with updates is free. (Even if it is about the only kind of free support you can get from Microsoft.) Each automatic update runs Microsoft's "Malware Remover" and while the MMR doesn't check everything it does check for "common problems of all kinds" for anything common enough to cause problems for a significant number of users. I consider it worthwhile to let it run at the monthly downloads, but if you "download but decide for yourself whether to install" it may not (or it may?) run every time there's an update. If you have a problem, you don't have to wait for a scheduled download. You can go to the update site and run the Remover from the site or download it to run manually. Reports during the last week or so indicate that the MMR was recently updated to remove two fairly significant worms of exactly the kind being described in this thread, although I don't know if those two were exactly the one(s) here. John |
|
13 Feb 09 - 11:13 PM (#2566502) Subject: RE: Tech: Google results hi-jacked on Firefox From: GUEST,.gargoyle I like (embrace-love-adore)the internet. However, there is always the "sly dog" out there eager to make a meal of the "greedy hog." (NOT - To Say...for the "MC moderating being" that you, or me, or any other Mudcater is a "greedy hog."
However, personaly, I do not like the: SMALL CRAFT ADVISORY FOR HAZARDOUS SEAS
Two of those I can control - one is in the hands of God -
Sincerely,
To control cookies from the never all invasive google revenue types (realize that your Mudcat Cookie might crumble) try: http://www.networkadvertising.org/managing/opt_out.asp |
|
14 Feb 09 - 11:41 AM (#2566786) Subject: RE: Tech: Google results hi-jacked on Firefox From: Stilly River Sage I took AdAware out of my computer a year or more ago because it seemed to conflict with other watchful software. I'll give it a try again now, though as I try to download the free version it suggests that to download properly I need to install a Hebrew language pack (this from the CNet download site). No thank-you. I found a different site that simply allows me to save the program (Major Geeks). We shall see. If it doesn't play nice, it's out of here again. SRS |
|
14 Feb 09 - 11:47 AM (#2566788) Subject: RE: Tech: Google results hi-jacked on Firefox From: McGrath of Harlow Right JohnInKansas, you've convinced me, and I've turned on the Microsoft automatic updates. One thing though: "...any problems with an update it likely will be very obvious where the problem came from." How does that work? I mean, if the computer starts doing something silly, how would I know it had anything to do with the update, rather than being down to something that slipped through in the course of browsing? |
|
14 Feb 09 - 05:06 PM (#2567012) Subject: RE: Tech: Google results hi-jacked on Firefox From: Stilly River Sage It still tells you that it is doing an update, so you'll notice it in conjunction with the update, is I imagine what he was aiming at. |
|
14 Feb 09 - 10:15 PM (#2567164) Subject: RE: Tech: Google results hi-jacked on Firefox From: JohnInKansas If you have a problem, you can still go to the internet to look for a fix, or just to identify what caused it. With the number of people eager to bad-mouth Microsoft, anything that even hints of a Microsoft source of trouble is definitely going to be splattered all over the place. The only glitch in this procedure is that Microsoft often gets blamed (on the internet) for things that have other sources, along with the times when they're identified for having actually shot themselves in their own If you want to do a more direct check, you can go directly to Microsoft and search for the symptoms there; and with any recent patches they've been pretty quick to 'fess up and tell you what needs to be done. Every Microsoft patch has a Knowledge Base article to explain what it does, so you can look at what patches have been downloaded recently, and check out the KB articles on any patches that have come in around the time that the problem appeared. If any one else has reported a problem with the patch, you should find a corrective action that directly addresses what to do. (Most critical patches also have an associated "Security Bulletin" as well, if you want more details.) At the Microsoft update site, there's an option to "show installed updates" that will give you a complete list of what's on your machine, and when it was added, or just go to Control Panel, Add Remove Programs, and check the option to "show updates." If you think a patch may have caused a problem, you can unintstall most of them in Control Panel. (There are some that can't be uninstalled, and for those you need to search Microsoft for fixes.) If uninstalling the one you think might be responsible doesn't fix things, it probably wasn't the cause. You don't have to worry much about reinstalling the patch; because the next update will probably reinstall it for you, or it soon will be "rolled into" a later update for the people who missed it in the first round. John |