Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you: No adverts like this in the forums anymore. Times and dates in your local timezone. Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance. Email notifications for threads you want to watch closely. Being a part of the oldest wargaming community on the net. If you are already a member then feel free to login now.

I've been having trouble with this virus the last two days.
It blocks google.com, youtube.com, bing.com, facebook.com, etc. With this page:

At first it was funny, but it's getting annoying. I can still acces google via gmail, luckily.

So, I suspect it's a new one. I don't know how, but I somehow got led to a forum website from Anonymous (lost it) and no idea how I got there anyways.

I've already used MalwareBytes and the Microsoft Security Essentials anti-virus programs, and although MalwareBytes cleared some others form my pc, I still got this one (after restart and deleting cache, etc.)

Only thing I have found about it is this, wich is in Spanish, and even with google translate doesn't really help.
http://www.forospyware.com/t459452.html

So, can someone help me with this? :S

:O I see the Cisco Networking Academy.

Have you tried stuff like checking your extensions and browser settings to see if anything is out of place?

Yeah, I did, and there's nothing odd to find.

And yeah, been doing this hardware course thanks to my IT teacher

Doing a bit of research this seems to be something very new. I can find 3 refrences to it and non are any help. It seems to have appeard 3 days ago.

It It is probably harmless and just a reaction to some slight if Anon are involved. However, it may be more. I'm sure someone else will be along soon who knows a little more about these things.

Have you tried a diffrent browser?

Before you know it you'll be having to toss together computers in 3-5 mins.

Steve steveson wrote:
Doing a bit of research this seems to be something very new.

It It is probably harmless and just a reaction to some slight is Anon are involved. However, it may be more. I'm sure someone else will be along soon who knows a little more about these things.

Have you tried a diffrent browser?

Yep. As you can see, I use Chrome, but I also tried Internet explorer (version 7 ) and Firefox.

Yikes. You've got Gandalf telling you you can't access the internet. I think it's time to give up and nuke your hard drive.


Also it may be worth changing the password on your email adress/s periodicly for the next few weeks. If it's hit you with a keylogger or something then any email adress or any website you have an account you need to log into for that matter could be at risk of getting jacked.

Yeah, I usually change my password every few weeks anyways.
I guess I'll wait untill my anti-virus software can detect and delete it. Untill then, I'll have to go to google via my gmail.

Have you tried using this automated fixit to reset your hosts file to default?

So thenoobbomb is a Balrog?

I tried to get a fixer like that, but the page wouldn't load. Ill try it when I'm back on my pc, thanks!

Ssh, dont tell anyone who I am!

 Snrub wrote:
Yikes. You've got Gandalf telling you you can't access the internet. I think it's time to give up and nuke your hard drive.


Also it may be worth changing the password on your email adress/s periodicly for the next few weeks. If it's hit you with a keylogger or something then any email adress or any website you have an account you need to log into for that matter could be at risk of getting jacked.

That would seem to defeat the purpose to block someone's internet access hoping to pick up the personal info. Most likely it's either a troll virus or like another virus last year it's using Noob's PC as part of a botnet and is blocking internet access so he can't update his anti-virus programs to get rid of it (it will reroute his anti-virus to a dumby site where it will download a fake update).

@NoobBomb, have you tried starting your PC from safe mode?

Not yet, I'll try that too.
It isn't blocking my whole internet connection though, since I've actually downloaded malware bytes after I got this on my pc. Most likely a troll virus, since the page description says 'What you looking here?'

 thenoobbomb wrote:
I tried to get a fixer like that, but the page wouldn't load. Ill try it when I'm back on my pc, thanks!

Well, if you can't get the fixer to work, here's a clean hosts file. Run windows explorer as admin, and copy and paste it to C:\Windows\System32\drivers\etc Or you can create your own in an elevated notepad if you like, it's just an extensionless text file called hosts with the following content:

# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost

I'm not saying this will fix it, if it's actual malware then you'll need something else. But perhaps one of the malwares you removed altered the hosts file as part of it's thing; and besides, it only takes a second and couldn't hurt anything anyway. Remember to flush your DNS after doing this in case it's still pulling from local cache.

I'll try that. I'm also going to look through all programs that are launched at start up annd see if there's anything there too. You'll hear from me when I've done that

Sometimes the best thing to do is do a system restore to sometime before you picked the virus up.

Get a mac.

Then use it to physically assault your hard drive.

Money well spent.

I don't know if you've found this already, but I hope this helps:
http://www.2-viruses.com/how-to-fix-google-results-hijacker-google-redirect-virus-problem

I'd start with the hosts file, too.
Rename the "hosts." file to be "hosts.old", and make a new empty file called "hosts."
Type in the 3 bottom lines from Ouze's screenshot, save and reboot.

Then, go here for how to block access to a lot of malware sites:
http://www.malwaredomainlist.com/forums/index.php?topic=174.0
Even if it's still active, it cannot check in, and should go dormant.

If you've already checked the registry for start-up files, keep a list of the good files to make it easier to clean up in the future.

 Ouze wrote:

 thenoobbomb wrote:
I tried to get a fixer like that, but the page wouldn't load. Ill try it when I'm back on my pc, thanks!

Well, if you can't get the fixer to work, here's a clean hosts file. Run windows explorer as admin, and copy and paste it to C:\Windows\System32\drivers\etc Or you can create your own in an elevated notepad if you like, it's just an extensionless text file called hosts with the following content:

# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost

I'm not saying this will fix it, if it's actual malware then you'll need something else. But perhaps one of the malwares you removed altered the hosts file as part of it's thing; and besides, it only takes a second and couldn't hurt anything anyway. Remember to flush your DNS after doing this in case it's still pulling from local cache.

Fixer didn't work, but the host file did!
Thanks mate!