Expert: Carolyn Meinel - 1/26/2009

Question
QUESTION: Hello.
Last November, my computer was infested with some virus, so I had it fixed. Since then, it has worked fine. But, recently, I noticed that whenever I type in a search term (e.g. Home Depot, Walmart, Best Buy, etc.) in the Google (or any other search engine), I get a list like I should. But, if I click on the website I want to see, it takes me to another website.  I have Web Security Guard installed, and it tells me whether the website is safe to visit or not. Regardless of what the rating is, I am having a horrible time visiting any website found on the search engine.

ANSWER: It sounds like your computer is infested with adware, meaning a program that takes you to places that are trying to sell you something whenever you try to follow a Google link.

Antivirus programs don't remove many kinds of adware because they trick you into installing them as part of some free program you download. So if this is what happened to you, then you need a complete Internet security product that removes adware, and runs a firewall, too.

Here's what will almost certainly work.

1) Download either Kapersky Internet Security, which offers a free 30 day trial at http://kapersky.com, or F-Secure's Complete Internet security suite, which offers a free thirty day trial: https://store.f-secure.com/cgi-bin/dlreg/ml=EN?ID=FSISTB&desid=TRIAL

2) Disconnect from the Internet.

3) Uninstall your current antivirus. This is absolutely essential because otherwise it and F-Secure or Kapersky will fight each other and might crash your computer. It isn't good enough to just turn off your old antivirus because it probably has been crippled by your virus infection.

4) Install your Internet Security product. Download any updates available.

5) Run a complete scan of your computer. Follow any instructions it might give you.

6) Reboot.

If this works, you can either keep your new Internet Security product or uninstall it and reinstall your old antivirus from either a download of the latest version from their website (if that's how they sell it) or from the disk it was on when you bought it. Be sure to get all the latest updates right away. Usually antivirus companies are pretty good about updating their programs whenever some new attack becomes able to evade or cripple their product.

If you weren't running an antivirus program that includes antispyware protection and a firewall, then I recommend that you not reinstall your old program. Nowadays we need total protection, and this includes antispyware and a firewall.

7) To prevent future infections, don't use Internet Explorer, as it is susceptible to introducing viruses, adware and spyware into your computer. Instead you could use Firefox, free from Mozilla.org . Instead of using Outlook for email, you could use Thunderbird, free from Mozilla.org, or Eudora, free from Eudora.com .


---------- FOLLOW-UP ----------

QUESTION: Hi, Carolyn.  I did as you had suggested. And, yes, it did find quite a few infected items. I removed them and rebooted my computer. Then, I tried to surf the internet (starting from my home page -- Google). Well, it got me nowhere. I was wondering if you had any other suggestions... If I click a website listed on my Favorites, then it works fine. I am currently using PC Tools AntiVirus program along with ThreatFire and PC Tools Firewall Plus.

ANSWER: You have an unusual case here, so please bear with me while we try some unusual ways to discover and fix your problem.

First, here's something simple that might work (assuming you haven't already tried it). If you are using Internet Explorer, could you please download the Firefox browser from http://mozilla.com. If it enables you to browse normally, then this means your Internet Explorer is still infected with adware. In this case, you can clean Internet Explorer with the Zone Alarm firewall from Zonelabs.com. It's really good at removing anything nasty that may infect your browser.

If that doesn't work, then here is a really unusual way that hackers ruin your computer's browser. It just might be that your computer's home page might not really be Google. Hackers can alter a computer so that the websites you visit aren't what they appear to be. There are many ways they can do this, and I can't cover them all here. You can learn what they are and how to fix them at http://www.antiphishing.org/

Also, here's an especially unusual way the bad guys could mess up your surfing by faking a Google website. Could you please locate a file on your computer named "hosts." It probably -- depending on your version of Windows -- will be in C:\i386\hosts. Double click on this file. A window will come up asking how you want to open it. Choose Notepad.

You should see something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com          # x client host

127.0.0.1       localhost

If you see google.com in this file, we have the culprit! Erase the line with Google in it, and any other lines that don't have "#" in front of them (except for 127.0.0.1 localhost, which you need) save the file, and reboot.

If none of this works, ouch! I'd like to work with you to find what kind of really weird thing is going on. You may email be directly at carolyn.meinel@techbroker.com or phone me at 505-281-0490.

If you don't find anything wrong with the hosts file, then we will have to try something else.

---------- FOLLOW-UP ----------

QUESTION: Here is what I found:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com          # x client host

127.0.0.1       localhost

127.0.0.1 linkexchange.com
127.0.0.1 ngadclient.hearme.com
127.0.0.1 gohip.com
127.0.0.1 ads.msn.com #
127.0.0.1 www.bay9.com (http://www.bay9.com)
127.0.0.1 portal.brodia.com
127.0.0.1 brodia.com
127.0.0.1 a1428.g.akamai.net
127.0.0.1 media.admonitor.net
127.0.0.1 a852.g.akamai.net #
127.0.0.1 ad.clearbluemedia.com #
127.0.0.1 ad.doubleclick.com #
127.0.0.1 ad.doubleclick.net #
127.0.0.1 ad.link4ads.com #
127.0.0.1 ad-adex3.flycast.com #
127.0.0.1 adclix.com #
127.0.0.1 adengine.theglobe.com #
127.0.0.1 adforce.imgis.com #
127.0.0.1 ads.adflight.com #
127.0.0.1 ads.cashsurfers.com #
127.0.0.1 ads.clearbluemedia.com #
127.0.0.1 ads.desktopdollars.com #
127.0.0.1 ads.link4ads.com #
127.0.0.1 ads.monster.com #
127.0.0.1 ads.stileproject.com #
127.0.0.1 ads.web.aol.com #
127.0.0.1 ads1.erotism.com #
127.0.0.1 advertising.com #
127.0.0.1 alladvantage.com #
127.0.0.1 asacp.org #
127.0.0.1 code.newsclicker.com #
127.0.0.1 download.cashsurfers.com #
127.0.0.1 eads.com #
127.0.0.1 elitecash.com #
127.0.0.1 flycast.com #
127.0.0.1 getpaid4.com #
127.0.0.1 hypercount.com #
127.0.0.1 icache.247media.com #
127.0.0.1 icover.realmedia.com #
127.0.0.1 images.about.com #
127.0.0.1 images.iwin.com #
127.0.0.1 imgworks-images.adbureau.net #
127.0.0.1 jeeves.flycast.com #
127.0.0.1 linkexchange.com #
127.0.0.1 lygo.com #
127.0.0.1 m.doubleclick.com #
127.0.0.1 maximumcash.com #
127.0.0.1 mediaserv.247media.com #
127.0.0.1 mr-cash.com #
127.0.0.1 nedstatbasic.net #
127.0.0.1 prizewindow.com #
127.0.0.1 promo.cuica.net #
127.0.0.1 revenueservice.com #
127.0.0.1 secure.webconnect.net #
127.0.0.1 servedby.advertising.com #
127.0.0.1 server01.popupmoney.com #
127.0.0.1 service.bfast.com #
127.0.0.1 speedyclick.com #
127.0.0.1 spylog.com #
127.0.0.1 stats4all.com #
127.0.0.1 tracker.com #
127.0.0.1 usads.futurenet.com #
127.0.0.1 valueclick.com #
127.0.0.1 view.avenuea.com #
127.0.0.1 websponsors.com #
127.0.0.1 websponsors.net #
127.0.0.1 webtrendslive.com #
127.0.0.1 www.avenuea.com (http://www.avenuea.com) #
127.0.0.1 www.clickxchange.com (http://www.clickxchange.com) #
127.0.0.1 www.commission-junction.com (http://www.commission-junction.com) #
127.0.0.1 www.dimeclicks.com (http://www.dimeclicks.com) #
127.0.0.1 www.doubleclick.com (http://www.doubleclick.com) #
127.0.0.1 www.doubleclick.net (http://www.doubleclick.net) #
127.0.0.1 www.iwin.com (http://www.iwin.com) #
127.0.0.1 www.maximumcash.com (http://www.maximumcash.com) #
127.0.0.1 www.mediaplex.com (http://www.mediaplex.com) #
127.0.0.1 www.netflip.com (http://www.netflip.com) #
127.0.0.1 www.renameit.com (http://www.renameit.com) #
127.0.0.1 www.thecounter.com (http://www.thecounter.com) #
127.0.0.1 www.websponsors.com (http://www.websponsors.com) #
127.0.0.1 www.websponsors.net (http://www.websponsors.net) #
127.0.0.1 www.xxxadserver.com (http://www.xxxadserver.com) #

Should I remove some of these?
If so, which ones?

Answer
Hurrah! You found a cause of your browsing problems!

You need to delete every line that begins with 127.0.0.1 except for the one that reads 127.0.0.1 localhost. Then reboot and check to see if your hosts file didn't get those other lines back into it. If those other lines reappear, then a malicious program is running that rewrites your hosts file every time you fix it. But if the hosts file is still fixed, then your browser should work just fine.

Let me know if anything else is still going wrong, because it sounds like your computer has been horribly infested with viruses, spyware, adware and who knows what else. So even though you've removed a lot of dangerous and annoying infestations by now, who knows what else might still lurk inside.

Also, you will find it easier to prevent future troubles if you get one of those Internet Security Suites that you have to pay for. I recommend Norton, McAfee, F-Secure or Kapersky. The trouble with free security programs is that they aren't as good as the ones you pay for. That's because the ones you pay for can afford to pay more people to fight malicious programs. (Nearly everyone who asks me for help has been using one of those free programs.)