hi guys, a few months ago i posted this thread: http://www.habboxforum.com/showthread.php?t=680243&highlight= asking for help on a google problem i had (google redirects to goingonearth.com or other weird search sites on firefox4.)

i've been using chrome for months because i did literally everything suggested to try and get rid of whatever the problem was, and it just didn't work. anyway, chrome is really lagging my laptop up and i like firefox, so i've gone back to it but i still have the same redirect problem.

i found this solution http://www.technama.com/2011/remove-goingonearth-or-going-on-eart/ but i'm not really THAT tech-savvy and i was just wondering (because there's no feedback on the page) whether this would be a safe procedure to do?

i'm using windows 7 btw, if it makes any difference.
+rep for any other solutions.
(i've malwarebytes scanned the laptop in safe-mode and its finding nothing on the laptop that's malicious.)

Yeah, it should work

As stated above, I think it will be fine. Should work.

Yer, it should work, maybe try uninstalling firefox and then installing it again? I dunno worth a try

Yes it should work, I suggest restoring your computer to another date where it worked or to its original setting though you loose all your computer files.

It's perfectly safe, but I'm not sure it will help as a rogue DNS entry like this would have expired long ago.

However, I recommend you do this and somebody may be able to help.

Download this http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe

Find it in your downloads folder, right click on it and choose "Run as administrator". Press yes on the User account control box. Click "Do a system scan and save a logfile"

Post the log here.

Start > Computer > C > Windows > System32 > drivers

Search for tdssserv.sys, is it present in your files?

As already stated it should work, yes.
:)

It's perfectly safe, but I'm not sure it will help as a rogue DNS entry like this would have expired long ago.

However, I recommend you do this and somebody may be able to help.

Download this http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe

Find it in your downloads folder, right click on it and choose "Run as administrator". Press yes on the User account control box. Click "Do a system scan and save a logfile"

Post the log here.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:03:49, on 20/04/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.7930.16406)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\FSP\FspUip.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\taskeng.exe
C:\windows\explorer.exe
C:\windows\system32\SearchFilterHost.exe
C:\Users\bethiie\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msi.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=14196&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6522
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [fspuip] %ProgramFiles%\FSP\fspuip.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AVMKJHV] rundll32 "C:\Users\bethiie\AppData\Roaming\xmllitew.dll",Zhwagwhfnl
O4 - HKCU\..\Run: [JP595IR86O] C:\Users\bethiie\AppData\Local\Temp\Tjh.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\bethiie\AppData\Local\Google\Update\Googl eUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} (WRC Class) - http://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

--
End of file - 7938 bytes


:).

I think I know the problem. Run HijackThis again and tick the boxes (ONLY THESE BOXES) next to

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6522

and

O4 - HKCU\..\Run: [JP595IR86O] C:\Users\bethiie\AppData\Local\Temp\Tjh.exe

Edit: get rid of this one too: O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

And click on fix checked.

Then restart your laptop and try Firefox.

If it doesn't work still (or you get nothing at all) then open up the start menu and type "internet options" without the quotes. Click on the one that says internet options (probably at the top). Go on the connections tab. Click on LAN settings. Untick the "Use a proxy server for your LAN" option, make sure automatically detect settings is ticked and press ok.

I think I know the problem. Run HijackThis again and tick the boxes (ONLY THESE BOXES) next to

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6522

and

O4 - HKCU\..\Run: [JP595IR86O] C:\Users\bethiie\AppData\Local\Temp\Tjh.exe

Edit: get rid of this one too: O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

And click on fix checked.

Then restart your laptop and try Firefox.

If it doesn't work still (or you get nothing at all) then open up the start menu and type "internet options" without the quotes. Click on the one that says internet options (probably at the top). Go on the connections tab. Click on LAN settings. Untick the "Use a proxy server for your LAN" option, make sure automatically detect settings is ticked and press ok.


no change, still redirecting :( and the lan settings were already set as you said. ah maan.

Try going to Firefox's options/preferences. Go on advanced > network > settings > no proxy. Try that.

If it doesn't work, go on the start menu, type "%SystemRoot%\system32\drivers\etc\" without the quotes and click on hosts. Click on notepad and then ok. What does it show?

Try going to Firefox's options/preferences. Go on advanced > network > settings > no proxy. Try that.

If it doesn't work, go on the start menu, type "%SystemRoot%\system32\drivers\etc\" without the quotes and click on hosts. Click on notepad and then ok. What does it show?


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


just says that ha.

IMO Backup, Format and Reinstall ;)

IMO Backup, Format and Reinstall ;)

Hehe that reminds me of this: http://theoatmeal.com/blog/fix_computer

IMO Backup, Format and Reinstall ;)

mehh, bit of a faff ha. probably only google on chrome.

It should be working :S

Edited by Illuminite (Trialist Forum Moderator):
Please do not post pointlessly

Try ipconfig/flushdns once more and then I'm stuck.

mehh, i flushed again and restarted and just nothing. ha. ah well, guess i just won't use firefox! thanks for yr help anyway :) +rep xx

Have you restarted your modem? Just a general thing, Im not sure if it could effect it

Have you restarted your modem? Just a general thing, Im not sure if it could effect it

Wouldn't be the problem.

Sorry about my thread yesterday, it seemed to have accidently cleared half my thread off. What I think I said was that you could try going to chrome://settings/advanced and untick 'Use a prediction service to help complete searches and URLs typed in the address bar'.

EDIT: Report the problem here: chrome://bugreport/#4

Its not an issue with the Chrome program.


Sorry about my thread yesterday, it seemed to have accidently cleared half my thread off. What I think I said was that you could try going to chrome://settings/advanced and untick 'Use a prediction service to help complete searches and URLs typed in the address bar'.

EDIT: Report the problem here: chrome://bugreport/#4

Its not an issue with the Chrome program.

yeh chrome/internet explorer is completely fine. it's firefox.

Do you have any add-ons for firefox>?

Download Prevx Safe Online http://www.prevx.com/safeonline.asp

It'll figure out what's hijacking your browser for you.

Navigate to about:config in your URL bar. Click "I'll be careful, I promise!" and type keyword.url into the search bar. If the value is different than below, replace it:

http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=

I hope I've helped.

Download Prevx Safe Online http://www.prevx.com/safeonline.asp

It'll figure out what's hijacking your browser for you.

um, well it found 5 "infections" for me, but i gotta pay to get rid of them ha? i've done a screenie so if anyone knows how to fix them without paying ha.

http://i53.tinypic.com/206c19j.jpg


Navigate to about:config in your URL bar. Click "I'll be careful, I promise!" and type keyword.url into the search bar. If the value is different than below, replace it:

http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=

I hope I've helped.

did that and it's still redirecting hahaha.

um, well it found 5 "infections" for me, but i gotta pay to get rid of them ha? i've done a screenie so if anyone knows how to fix them without paying ha.

http://i53.tinypic.com/206c19j.jpg



did that and it's still redirecting hahaha.

Those types of virus are a pain to remove. I've had them before and used many different anti viruses and anti malware programs in attempt to remove them, and even when they say it's successfully removed the virsus always would manage to bounce back. Your best bet is to copy all of your files over to an external hardrive (scanning them on the way out so as not to transport the virus with you) and then format your hard drive and re-install your OS.

Using an anti virus is all jolly and good, but once you've had a virus like that you shouldn't trust your PC until it's been formatted. I just use anti viruses to alert me to problems and to quarantine stuff before it can cause harm, they're mostly useless at actually getting rid of them once they've stuck.

These are the easiest things to remove ever, you just have to boot into safe mode and work out where it stores it's DLLs, .exe and then do a registry cleanup with CCleaner. Generally they're stored in %AppData%\RANDOM-STRING.exe

These are usually because your system isn't up to date or you're using an outdated/crap browser.

These are the easiest things to remove ever, you just have to boot into safe mode and work out where it stores it's DLLs, .exe and then do a registry cleanup with CCleaner. Generally they're stored in %AppData%\RANDOM-STRING.exe

These are usually because your system isn't up to date or you're using an outdated/crap browser.

They can still find a way to bounce back

They can still find a way to bounce back

Never had that issue myself.