W7 64 Home premium, IE9. I have Microsoft Security Essentials running since day one on this computer. (Yes, and updated at least weekly.)
Normally when I type a word/phrase in the address line, it goes to Google.com as a search.
The last two days I end up at ‘GlobaSearch.com’ instead. Which claims to be powered by Google and looks somewhat similar, but is NOT google and seems much slower.
I checked in the browser, and under Tools->manage addons ->search providers it shows four sites, numbered thusly:
Bing 2) Ask 3) Google 4) Yahoo search
The Google line is marked as the default.
Also, the check box labeled “prevent programs from suggesting changes to my default search” is checked, as is the one for ‘search in address bar.’
So…why am I going to the wrong place? Is this some virus I got despite running MSE?
In case it matters – this happened for a few days once before, sometime around Feb/March. Then it stopped. I don’t know why.
Do you have another computer you could test out with, using the same internet connection? If the other computer doesn’t redirect, it’s most likely either a virus or some other thing running on your computer (possibly an IE addon toolbar?). If it DOES redirect, there’s an issue with your internet connection itself, in which case you should probably contact your ISP.
Could be a DNS hijack as well - instead of letting your DHCP server configure your DNS settings, set them statically to 8.8.8.8 and 8.8.4.4, then see if the results are different.
Never mind, I withdraw my theory above. A quick search shows that it is indeed a browser hijack. Here’s a thread on another forum about it - although it has to do with Firefox, there may be the beginnings of a way to clean up IE as well. It’s evident that that operator of the website is an unsavory character. http://forums.mozillazine.org/viewtopic.php?f=38&t=1233025&p=6573285
Several variants of the “google virus” are running rampant, and are often extraordinarily hard to detect and get rid of with conventional AV software as most are rootkit viruses. It’s probably the # 1 topic on anti-virus boards these days.
Here’s my experience with it and the solution I found.
Okay, AdAware and Malwarebytes both showed nothing infected. Now I’m DLing the Reanimator program.
I assume the whole point of it is to create traffic at that site so he can sell advertising? I suppose as virus programs go, this is relatively less damaging that most, but it’s sure annoying.
Thank you all for your help so far. I’ll keep you update.
Okay, there wasn’t a perfect match between the web page’s instructions on what to do, and what the program asked for, but in the end it created some report which I managed to send up to them.
I’m supposed to hear back in 2-3 working days. Hopefully the instructions on fixing the problem will be simple enough for me to handle.
Here is the direct link for the (free) standalone rootkit remover. This program should detect suspicious .dll’s and .exe’s masking themselves as known drivers and remove the rootkit. It should do more than generate a report. It should offer to remove the suspicious binary, at least it did for me.
I think they may have changed how their program works. That’s the page I went to, and its instructions are to DL, unzip, install, update, then run to create a report which you then upload, and eventually they send you a file regrunlog.rnr which apparently are the instructions that the program uses to make the fix. (yay! Apparently I don’t have to understand what’s happening.)
Strange that it says you may need to do the reboot to safe mode/run regrun cycle two or three times to fully fix things. But whatever.
Oh, and they have a handy saying “Read instructions how to go to the Safe mode here.” but the page, she is no longer there. Well, I’m sure I can find instructions on how to do it on the MS site.
FYI: I noticed my Google searches were being hijacked this morning. I just rebooted my Windows 7 machine into safe mode and ran system restore to a point from a couple days ago when I’m sure I wasn’t having those issues, and all my Google belongs to me again.
This requires that you already had system restore running & making regular checkpoints, of course.
I’ve been using RegRun for years. It’s one of the first things I install on a new computer. One of the things I love about it is that it checks for root kits and the like on every boot. No, I don’t frequent sites that are likely to give me problems, but I like having the peace of mind.
Greatis is a Russian company, and their translations sometimes leave something to be desired.
Well I do, and I do… What a beautifully simple sounding cure! But I just did a restore to 6/29, which was before I noticed this problem, and the hijacking still happens.
But I didn’t do the ‘boot into safe mode’ before the restore, just went through the regular control panel. Maybe that makes a difference?
