Google Search/FF3.6
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Google Search/FF3.6
I inadvertently got myself a 'dose' of 'Babylon' the other day and found Google Search 'hijacked' to a Babylon tabbed Google page. 'Conduit' was also installed.
All gone now, with a bit of reg clearance and a hack at about:config, but I am still left with a different Google search page which does not have the radio buttons
Search: the web pages from the UK
and I am at a loss to 'restore' the URL for this 'previous' Google search
IE8 still goes to the correct page. Anyone know what I need to do please? I do not seem to be able to limit the search to UK only through any preference settings I can find.
All gone now, with a bit of reg clearance and a hack at about:config, but I am still left with a different Google search page which does not have the radio buttons
Search: the web pages from the UK
and I am at a loss to 'restore' the URL for this 'previous' Google search
IE8 still goes to the correct page. Anyone know what I need to do please? I do not seem to be able to limit the search to UK only through any preference settings I can find.
Join Date: Jan 2008
Location: Over the hill and far away
Age: 76
Posts: 174
Likes: 0
Received 0 Likes
on
0 Posts
Look for a file called hosts in your windows\system32\drivers\etc folder (windows bit may be slightly different depending on actual operating system).
Open it with Notepad and you'll see all the naughty redirects in there.
All it should say is:
Anything else has probably been added by the trojan.
The # marks are comment lines - they do nothing.
Hope that helps,
Ken
Open it with Notepad and you'll see all the naughty redirects in there.
All it should say is:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
The # marks are comment lines - they do nothing.
Hope that helps,
Ken
Spoon PPRuNerist & Mad Inistrator
Ken,
The hosts file is often seriously augmented by "good" programs, such as SpyBot, that enter large numbers of bad domains, resolving them to 127.0.0.1.
So what it should and shouldn't say is not about the quantity of entries, more about the names and associated IP addresses. If anything that you don't recognise points to an IP other than 127.0.0.1, that is suspect.
SD
The hosts file is often seriously augmented by "good" programs, such as SpyBot, that enter large numbers of bad domains, resolving them to 127.0.0.1.
So what it should and shouldn't say is not about the quantity of entries, more about the names and associated IP addresses. If anything that you don't recognise points to an IP other than 127.0.0.1, that is suspect.
SD
Join Date: Jan 2008
Location: Over the hill and far away
Age: 76
Posts: 174
Likes: 0
Received 0 Likes
on
0 Posts
Yep, I'll agree with that. I've not used SpyBot, so I wasn't aware it directed blacklisted sites to localhost, but that makes sense.
Certainly, as you say, anything nasty will be obvious, such as a lot of lines similar to:
Certainly, as you say, anything nasty will be obvious, such as a lot of lines similar to:
Code:
www.google.co.uk www.trojangoogle.com www.google.com www.trojangoogle.com
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Ken - I had already checked the hosts file and the file date well preceeds the change in Google search page so I don't think it is anything 'nasty', just a change in location for Google search. Anyone know where the search URL is stored in FF and IE?
I cannot see any reference in the Hijackthis log to any search engine at all.
EDIT: I've just checked the 'keyword.URL' key and it is identical to my laptop running FF3.6 which goes to the 'old' Google page.??
I cannot see any reference in the Hijackthis log to any search engine at all.
EDIT: I've just checked the 'keyword.URL' key and it is identical to my laptop running FF3.6 which goes to the 'old' Google page.??
Last edited by BOAC; 22nd Mar 2010 at 08:54.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Yes - it is .com but I didn't change it from the original .co.uk. Still searching to find where FF stores the URL so I can change it back
Edit: gg's plan was the best! I found a 'plug-in' offering .co.uk and it is all back to normal. Still like to know why it changed and where the URL is hidden!
Edit: gg's plan was the best! I found a 'plug-in' offering .co.uk and it is all back to normal. Still like to know why it changed and where the URL is hidden!
Last edited by BOAC; 22nd Mar 2010 at 12:13.
Join Date: Aug 2005
Location: West of EGKK
Posts: 53
Likes: 0
Received 0 Likes
on
0 Posts
Here's one I prepared earlier
Ensure Firefox is closed.
Locate the file google.xml among the Firefox program files, probably in \Program Files\Mozilla Firefox\searchplugins\
Using a text editor such as NotePad (not a word processor) change every mention of google.com to google.co.uk, if that is your preferred search injun.
Subsequent searches in Firefox will be returned by the google site of your choice.
It may be wise to save a copy of the updated file in a non-volatile location, as any update to FF will undo your amendments.
(e&oe)
Locate the file google.xml among the Firefox program files, probably in \Program Files\Mozilla Firefox\searchplugins\
Using a text editor such as NotePad (not a word processor) change every mention of google.com to google.co.uk, if that is your preferred search injun.
Subsequent searches in Firefox will be returned by the google site of your choice.
It may be wise to save a copy of the updated file in a non-volatile location, as any update to FF will undo your amendments.
(e&oe)
Spoon PPRuNerist & Mad Inistrator
Prudence would suggest that you make a copy of the existing file as google.xml.bak or some such, prior to wielding the scalpel.
SD
SD