I inadvertently got myself a 'dose' of 'Babylon' the other day and found Google Search 'hijacked' to a Babylon tabbed Google page. 'Conduit' was also installed.

All gone now, with a bit of reg clearance and a hack at about:config, but I am still left with a different Google search page which does not have the radio buttons

Search: the web pages from the UK

and I am at a loss to 'restore' the URL for this 'previous' Google search

IE8 still goes to the correct page. Anyone know what I need to do please? I do not seem to be able to limit the search to UK only through any preference settings I can find.

Look for a file called hosts in your windows\system32\drivers\etc folder (windows bit may be slightly different depending on actual operating system).

Open it with Notepad and you'll see all the naughty redirects in there.

All it should say is:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost


Anything else has probably been added by the trojan.
The # marks are comment lines - they do nothing.

Hope that helps,
Ken

Ken,

The hosts file is often seriously augmented by "good" programs, such as SpyBot, that enter large numbers of bad domains, resolving them to 127.0.0.1.

So what it should and shouldn't say is not about the quantity of entries, more about the names and associated IP addresses. If anything that you don't recognise points to an IP other than 127.0.0.1, that is suspect.

SD

Yep, I'll agree with that. I've not used SpyBot, so I wasn't aware it directed blacklisted sites to localhost, but that makes sense.

Certainly, as you say, anything nasty will be obvious, such as a lot of lines similar to:

www.google.co.uk www.trojangoogle.com
www.google.com www.trojangoogle.com

Ken - I had already checked the hosts file and the file date well preceeds the change in Google search page so I don't think it is anything 'nasty', just a change in location for Google search. Anyone know where the search URL is stored in FF and IE?

I cannot see any reference in the Hijackthis log to any search engine at all.

EDIT: I've just checked the 'keyword.URL' key and it is identical to my laptop running FF3.6 which goes to the 'old' Google page.??

Click on the down arrow in the search box click >manage search engines then delete Google and reinstall it?

Don't suppose you are using google.com instead of google.co.uk.?
It's not obvious if you use igoogle.

Yes - it is .com but I didn't change it from the original .co.uk. Still searching to find where FF stores the URL so I can change it back:mad:

Edit: gg's plan was the best! I found a 'plug-in' offering .co.uk and it is all back to normal. Still like to know why it changed and where the URL is hidden!

I think it's in the profile as a JSON file.

Ensure Firefox is closed.
Locate the file google.xml among the Firefox program files, probably in \Program Files\Mozilla Firefox\searchplugins\
Using a text editor such as NotePad (not a word processor) change every mention of google.com to google.co.uk, if that is your preferred search injun.
Subsequent searches in Firefox will be returned by the google site of your choice.
It may be wise to save a copy of the updated file in a non-volatile location, as any update to FF will undo your amendments.

(e&oe)

Prudence would suggest that you make a copy of the existing file as google.xml.bak or some such, prior to wielding the scalpel.

SD

What would I do without you all?:)

That worked a treat (I had to delete all search options and then re-instate).

Thanks y'all.