Cable Forum - 404 Hijacked by Google

Cable Forum (https://www.cableforum.uk/board/index.php)

- General IT Discussion (https://www.cableforum.uk/board/forumdisplay.php?f=19)

- - 404 Hijacked by Google (https://www.cableforum.uk/board/showthread.php?t=28048)

404 Hijacked by Google

I've had my 404 page hijacked by google, it now goes straight to google.com. Ran hijackthis and can't see anything of any relevance, can anybody tell me what files ie querys when it gets a 404?

Re: 404 Hijacked by Google

Do you mean that instead of getting a 404 on any site you are getting a google page, or do you mean that you are getting a google page instead of a specific site's 404 page?

Re: 404 Hijacked by Google

404 pages are served up by the remote server - I don't see how anyone, or anything, could hijack them locally.

Re: 404 Hijacked by Google

Any site, i'm not talking about custom remote 404 pages, but the 'This page cannot be displayed', I've just noticed that within ms, usually instantly i'm forwarded to google.com.

Re: 404 Hijacked by Google

Quote:

Originally Posted by jtwn

Any site, i'm not talking about custom remote 404 pages, but the 'This page cannot be displayed', I've just noticed that within ms, usually instantly i'm forwarded to google.com.

Ah, "this page cannot be displayed" is something totally different - it is not a 404 error, that is a locally displayed thing. That will be a registry setting somewhere.

Re: 404 Hijacked by Google

Ah...now my mind seems to recall something about this.

In IE's settings you can tell IE to use the default search page when it finds a URL it can't open. The default for this is the MSN search page, but you can change this..I think there's an option (but I am probably wrong) in XP PowerToys to do this...or as Paul say in the registry.

Re: 404 Hijacked by Google

download hijackthis- you can then delete the entry that tells IE to use google as the default search.

If you are not sure which it is, post the log back here, and i will point it out for you.

Re: 404 Hijacked by Google

Thanks for your help guys.

Hijackthis log -

Code:

Logfile of HijackThis v1.99.1

Scan saved at 19:38:06, on 02/05/2005

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)



Running processes:

C:\WINDOWS\system32\bcmwltry.exe

C:\Program Files (x86)\Devices\Audio Deck\EnMixCPL.exe

C:\Program Files (x86)\Internet Apps\NetLimiter\NetLimiter.exe

C:\Program Files (x86)\Microsoft IntelliType Pro\type32.exe

C:\Games\Valve\Steam\Steam.exe

C:\Program Files (x86)\Devices\SpeedFan\speedfan.exe

C:\Program Files (x86)\File Sharing\Azureus\Azureus.exe

C:\Program Files (x86)\Internet Apps\Java\jre1.5.0_02\bin\javaw.exe

C:\Program Files (x86)\Internet Apps\NoNameScript\mirc.exe

C:\Program Files (x86)\Internet Apps\Ventrilo\Ventrilo.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Outlook Express\msimn.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe



R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache1-lang.server.ntli.net:8080

F2 - REG:system.ini: UserInit=userinit

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Internet Apps\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\googletoolbar1.dll

O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\SysWow64\winvbie.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\googletoolbar1.dll

O3 - Toolbar: VisuExplorer - {92E1B3F7-0546-421E-9835-904D25B7BA66} - C:\WINDOWS\SysWow64\msiev32.dll

O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe

O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe

O4 - HKLM\..\Run: [EnvyHFCPL] "C:\Program Files (x86)\Devices\Audio Deck\EnMixCPL.exe"

O4 - HKLM\..\Run: [NetLimiter] "C:\Program Files (x86)\Internet Apps\NetLimiter\NetLimiter.exe" /s

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files (x86)\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\RunServices: [Microsoft Message Queue Manager (Critical)] msmdsrvx.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files (x86)\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files (x86)\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files (x86)\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files (x86)\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files (x86)\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Internet Apps\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Internet Apps\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{161798E9-D96D-4797-928A-469378B957DC}: NameServer = 194.168.4.100,194.168.8.100

O17 - HKLM\System\CS1\Services\Tcpip\..\{161798E9-D96D-4797-928A-469378B957DC}: NameServer = 194.168.4.100,194.168.8.100

O17 - HKLM\System\CS2\Services\Tcpip\..\{161798E9-D96D-4797-928A-469378B957DC}: NameServer = 194.168.4.100,194.168.8.100

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll

O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

This is on Windows x64 and comes up with many errors when first searching. Also, after running avast earlier, came across with my WinSock32.dll (cannot be sure whether it was a clone in the wrong folder/slight file name difference) but it was a trojan/infected and was deleted, i'm guessing that might of had some relevance?

Re: 404 Hijacked by Google

Might seem like a daft suggestion - but - you do have Google toolbar installed by the look of it.

Is it an option within that?

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\googletoolbar1.dll

And

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\googletoolbar1.dll

Re: 404 Hijacked by Google

Quote:

Originally Posted by TheBlueRaja

Is it it an option within that?

Looks like it.
I couldn't help noticing you're running the 64-bit version of XP BTW. :tu: :D

Re: 404 Hijacked by Google

:notopic: Rich - if you say - had a heart attack (just theoretically speaking mind - this aint no voodoo curse), would your sig change to say Current Status :- Call an ambulance or something?

Re: 404 Hijacked by Google

Bluey, yeah it would... have a look here http://www.phpfuture.net/code/MySync/about/

Quote:

Included in this message would be a personal message from myself and several instructions that are to be carried out.

I want to know what these instructions will contain. Ricin bombs planted in the underground...? Transfer of money from Swiss bank accounts...?

Re: 404 Hijacked by Google

Quote:

Originally Posted by TheBlueRaja

Nope, not as far as i can see. Tried 'Reset web settings' in the internet options - nothing :(

Quote:

Originally Posted by Richard M

Looks like it.
I couldn't help noticing you're running the 64-bit version of XP BTW. :tu: :D

Yep :) Solid as rock too, well impressed with it. Just need to get more drivers built for it.

Re: 404 Hijacked by Google

Quote:

Originally Posted by Gareth

Bluey, yeah it would... have a look here http://www.phpfuture.net/code/MySync/about/

I want to know what these instructions will contain. Ricin bombs planted in the underground...? Transfer of money from Swiss bank accounts...?

:shocked:

Mental!

jtwn - Out of curiosity - could you uninstall the toolbar and see what happens? You could just reinstall it afterwards - shouldnt take more than 5 mins..

Re: 404 Hijacked by Google

Quote:

Originally Posted by TheBlueRaja

Quote:

Originally Posted by Gareth

:shocked:

Mental!

I think it's sensible, but that's your opinion. :shrug: :D

Re: 404 Hijacked by Google

Heh, no offence, Rich. I think it's pretty cool. Just don't forget to turn it off when you go on holiday ;)

Re: 404 Hijacked by Google

Got that covered, I can reset it from my mobile phone. :D

Re: 404 Hijacked by Google

Looks like i've fixed it. Had a stealthy install of a toolbar (which isn't shown anyway) called 'VisuExplorer' which installs winvbie.dll and msiev32.dll into the system dll directory.

Also just out of interest, on MS AntiSpyware i think i've found an easy way to change the browser error pages which are defined in the registry - Tools>Advanced Tools>Browser Hijack Settings Restore.