Friday, June 23, 2006
My Google search has been hijacked
Recently, I frequently found myself was taken to strange web sites after clicking the search results from Google. I used to manually remove some obvious spywares, but this one took me a lot more time to figure out.
First thing I noticed is that the IE status bar shows the link has been redirected to 85.255.114.114, and the php scripts there bring me further the hijack trip. I checked registry and used hijackthis tool from Merjin (It used to be Merjin.org, but it looks like recently this address has been taken over by someone else.) to remove any items with 85.255.114.114. But the problem still exists. Then I decided to change and save the perferences setting of my Google search and hoped that change of setting will get rid of this hijack. The preference link is just at the right of the searching text box. It DID work at first, which is odd to the-current-me since I now know what causes this problem. Unfortunately, the problem came back after a while.
I used different key words to search the cure online and finally find a useful tool. It's called F-Secure BlackLight. You can download it here. Basically, a software technology called Rootkit hides the spywars and make them invisible to the regular anti-spyware software and manual checking. F-Secure BlackLight can find them and put them under the spot.
With it, I found a couple of evil exe files. They are csbwy.exe, dmhti.exe, filesafer23.exe and howiper.exe. The tool can rename the found files and bring the peace back to my Google searching. If you have the same issue. Try it! And note there is a file called wbemtest.exe on the list. That's a windows system file. Don't rename that one. Good luck!
First thing I noticed is that the IE status bar shows the link has been redirected to 85.255.114.114, and the php scripts there bring me further the hijack trip. I checked registry and used hijackthis tool from Merjin (It used to be Merjin.org, but it looks like recently this address has been taken over by someone else.) to remove any items with 85.255.114.114. But the problem still exists. Then I decided to change and save the perferences setting of my Google search and hoped that change of setting will get rid of this hijack. The preference link is just at the right of the searching text box. It DID work at first, which is odd to the-current-me since I now know what causes this problem. Unfortunately, the problem came back after a while.
I used different key words to search the cure online and finally find a useful tool. It's called F-Secure BlackLight. You can download it here. Basically, a software technology called Rootkit hides the spywars and make them invisible to the regular anti-spyware software and manual checking. F-Secure BlackLight can find them and put them under the spot.
With it, I found a couple of evil exe files. They are csbwy.exe, dmhti.exe, filesafer23.exe and howiper.exe. The tool can rename the found files and bring the peace back to my Google searching. If you have the same issue. Try it! And note there is a file called wbemtest.exe on the list. That's a windows system file. Don't rename that one. Good luck!
