Evil redirect
 

I'm not sure what happened, but since yesterday when I try to go to google I get 1 of 2 things, I either get "Cannot find server" or it redirects me to www.google.com.org which is a domain registration site. I can't ping google, but I can ping other sites. I've run the latest version of Ad Aware and even a virus scanner. I'm wondering if anyone has any ideas. (running win 2000) This is on IE 6.

Sounds like your upstream provider was hacked.

If someone were to change the local DNS server's parameters, it is possible for someone to redirect legit traffic to illegitimate sites.

Check your network settings to make sure that .org didn't get added to your domain search order as some kind of "always use" - or try going to the google site through its IP address - type http://216.239.51.99 in your browser (at least that's what my nameserver says its IP is) and see if that works. If so, then it is most likely a DNS problem.

Sapper might be right that your ISP or their provider is having DNS issues so maybe you should talk to them if that is the case.

I tried going through the IP addy and was able to make it there. But I still can't get get out to any search engine. I get the same error when I try to search on Yahoo (because they use google) and when I try to go to Lycos, it sends me to lycos.com.org. I don't think it is anything server side, we have 5 other computers in my house and all of them can see Google.

That's one of the wierdest problems I've ever seen. I tried doing a search on both google and yahoo and neither of them had anything listed. I guess it is kind of ironic to try that but it's usually how I find solutions to wierd problems.

Maybe check your DNS servers on the affected machine and make sure they match up with the machines that are not affected? Does this happen in both IE and Netscape?

Looks like it, when I try to go to Google from netscape, I get a can not connect to the server error.
How do I check my DNS server on this computer?

Depends on your OS.

In XP, go into Start, control panel, network connections (network and internet connections first, then network connections if you're not in classic mode)

then right-click your connection, go to properties, find TCP/IP in the list and double-click. DNS is listed in there (though it might say 'obtain automatically'

Then click advanced, go to the DNS tab and check again, also go to the WINS tab.

On any other Windows, you want to do the same thing, go into control panel, network, double click TCP/IP and look for the DNS and WINS tabs. Make sure this PC matches all your other ones.

Ok, I checked my DNS server numbers and everything matches up.


Its getting close to format the whole thing and start over time. But before I do that, any other ideas?

well you said you ran ad aware. I dunno if this will help, but since you're about to format i figure it's worth a try. try to scan your pc with Spybot: Search & Destroy, similar to ad aware but it sometimes finds things that ad aware doesnt. (I use both of them btw).

the link for spybot is: http://download.com.com/3000-2144-10...ml?tag=lst-0-1

Do you connect through a proxy? It could be something on their end.

Ok, search and destory got me a little bit closer, it found some called SlawSelect (something close to that) it said it was redirecting me to 64.191.59.85 I have removed the spyware, but it is still happening.

Was google.com your homepage prior to the redirecting.

You can try two programs (CoolWebShredder and HijackThis) in the link below to possibly rid of your problem. Try CoolWebShredder first, then HijackThis)

http://www.spywareinfo.com/~merijn/

HijackThis

A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

Currently at version 1.96

CoolWebShredder

A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D tends to forget essential parts of the hijack, so until it updates, you can just this to completely remove the hijack. Updated to remove the new variants once they come out.

Currently at version 1.12

Ok, so my next step is to get a registy cleaner and clear the stuff out myself. Can anyone suggest a good registry cleaner for Win2000. If you could provide a link, that would be nice seeing as I can't search the internet anymore.

HeyAgain, thanks heaps for the CoolWebShredder tip and link. I've been having problems with CoolWebSearch for a couple of weeks now. Hopefully no more!

Google, lycos, and yahoo are all hosted at akamai

[0]$ dig www.google.com

; <<>> DiG 9.2.1 <<>> www.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8134
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 9

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 886 IN CNAME www.google.akadns.net.
www.google.akadns.net. 279 IN A 216.239.53.99

;; AUTHORITY SECTION:
akadns.net. 79766 IN NS zc.akadns.net.
akadns.net. 79766 IN NS zf.akadns.net.
akadns.net. 79766 IN NS zh.akadns.net.
akadns.net. 79766 IN NS ns1-93.akam.net.
akadns.net. 79766 IN NS ns1-159.akam.net.
akadns.net. 79766 IN NS use2.akam.net.
akadns.net. 79766 IN NS usw5.akam.net.
akadns.net. 79766 IN NS use4.akam.net.
akadns.net. 79766 IN NS asia3.akam.net.

;; ADDITIONAL SECTION:
zc.akadns.net. 79766 IN A 63.241.199.50
zf.akadns.net. 79766 IN A 63.215.198.79
zh.akadns.net. 79766 IN A 63.208.48.42
ns1-93.akam.net. 79766 IN A 193.108.91.93
ns1-159.akam.net. 79766 IN A 193.108.91.159
use2.akam.net. 79766 IN A 63.209.170.136
usw5.akam.net. 79766 IN A 63.241.73.214
use4.akam.net. 79766 IN A 80.67.67.182
asia3.akam.net. 79766 IN A 193.108.154.9

;; Query time: 37 msec
;; SERVER: 198.93.80.102#53(198.93.80.102)
;; WHEN: Mon Sep 22 16:40:49 2003
;; MSG SIZE rcvd: 403

[0]$ dig www.google.akadns.net @zc.akadns.net

; <<>> DiG 9.2.1 <<>> www.google.akadns.net @zc.akadns.net
;; global options: printcmd
;; connection timed out; no servers could be reached

zc.akadns.net is dead.

The problem is NOT yor computer. Your ISP's DNS server is not handeling the death of zc.akadns.net as it should

Hey Harshaw,

While searching through a computer forum for a solution to a video card problem I was encountering, I stumbled upon a question/problem similar to yours. The solution was using the CoolWebShredder program that I suggested early.

Give the program a try and see what happens.

The end, I hope.

Ok, so this is a weird ending to a weird problem. Just for fun, I tried to go to Google again today. I got a third message this time. This one asked me if I was trying to get to google, told me I had software on my computer keeping me from google and told me to delete anything with the word google from my hosts list.
I did that and I can browse google again.

Thanks for the input from everyone one this board. :)

If you want to read more about this, with a few possible solutions, I finally found something on the web about it:

http://www.experts-exchange.com/Oper..._20722100.html

check your hosts file...in winxp it will be in C:\WINDOWS\system32\drivers\etc

just throw the hosts file into notepad and check for anything odd. i had a problem like this and my hosts file was full of janky mappings for websites

http://www.informit.com/content/inde...A562B8B96A5%7D

Basically, a piecse of malicious software can redirect your browser to an address different from the one that matches the url you typed. A more complicated method is to hack the DNS server itself and replace the IP address of the site you want to one of the hacker's choice. The result is that the hacker's IP address is returned as a match for the URL that you want.