WTF is up with Google...

[Merusk]

Ok in the last week any google searches I've done have wound-up with a page and a half of crappy redirects masquerading as real links.  For example this morning right before this post I searched "Harry Potter" to check.  The first 5 answers said "Official Site" or "Wikipedia" in the title, but if you look at the link they're redirects to spyware, adware etc.   I did a search a few minutes before that on "what do you call people with black hair" and yep, the same problem.

Anyone else having the same problem? Has google finally been gamed into uselessness or am I riddled with spyware that I'll have to beat someone in the family for?

[Cadaverine]

At a guess I'd say spyware.  I googled 'what do you call people with black hair', and it came up with links to Yahoo answers, WikiAnswer, and some other sites.

And I call them brunettes, for what it's worth. 

[Trippy]

Your computer is very likely hosed.

If you go here:

C:\Windows\system32\drivers\etc

do you see a file called "hosts"? If so what's in it (you can open it with Notepad or any text editor).

Are you using some sort of search toolbar to search Google? If so is it built into browser or was it something you installed separately?

[Merusk]

All I have in hosts is the local host. 127.0.0.1

No search toolbar other than the one in basic Firefox - the little drop-down in the upper right. Now that you mention it, though, there was one installed a few weeks ago that I uninstalled. I think it was a yahoo bar and I have no idea who put it there.

I just did another google search and noticed something; it's going to 7.7.7.0 for the results. That doesn't seem normal, either.  Fuck me.

[Merusk]

At a guess I'd say spyware.  I googled 'what do you call people with black hair', and it came up with links to Yahoo answers, WikiAnswer, and some other sites.

And I call them brunettes, for what it's worth. 

Yeah I got those answers, too on the headings.  But the links go to clickndirect.com, hairbykayla.com, toseeka.com for the first 3 results.

Also, brunette isn't technically right.  That's brown hair. 

[Trippy]

Your browser may be setup to go through a (bogus) proxy then.

Do you get the same result if you try a different browser?

What happens if you go to, say, here:

http://74.125.19.147/  (that's a valid www.google.com IP address)

If you bring up a command prompt and type in:

nslookup www.google.com

do you see various 74.125.19.XXX IP addresses?

[Merusk]

Found it on a search on the wife's machine.  It's a relatively new malware that installs itself via java/ adobe pdfs.  It's in system32/wdmaud.sys

Thanks for the help, folks.

[Merusk]

Hrm.. that file is labeled 4/13/08.  Deleting it did fix the redirect problem, though.

trip, that page still redirected me. It's a redirect that's messing with google searches themselves in the OS apparently. 

[Aez]

I chekeced my Host file.  Is this text normal?

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

[Xuri]

Yep, looks normal to me.

[NiX]

That's the default hosts file.

Seems like Merusk is finally paying for the death of Elf porn.

[Hawkbit]

I picked up a naaaasty virus about 2 months ago that applied itself off a stupid wrestling movie that someone linked off another forum.  As soon as I clicked on the play button on the movie I was hosed.  

I could open a normal browser and run a search for Star Wars and get back some fairly relevant links, but most of them were caches from long ago pages.  Or else it would redirect me to spyware removal sits.  The irony is when I would search for spyware removal and do any searches for the virus name that hit me, it would redirect me to either pr0n sites or fake spyware removal sites.  

Those little malicious geniuses.... making a virus to sell you anti-virus software.  

[Ubvman]

If you think you caught the malware, perhaps your machine is still caching the bad dns?

Open up a command line and type:

ipconfig /flushdns

See if that fixes the problem.

[MahrinSkel]

Get Sandboxie.  I use it for everything I'm not totally comfortable with (that includes most of the links you freaks post).  Worst that can happen is that you have to flush a Sandbox, and lose any reconfigurations you've done it or installs you've made.

--Dave

Edit by Trippy: fixed link

[Draegan]

My coworker has this same issue.  I tried the a few of the things listed here to no avail it still directs to different sites.  For instance clicking on Continental Airlines homepage brings you to cheap ticket sites.

wdmaud.sys is in the \system32\drivers folder and a few other places like \386\ and in a few sp3 and sp2 .cab's.  I delete the few that were in the directories but the one in the drivers folder keeps popping up with a 4/13/2008 date.

Any ideas?

[Engels]

Uhm, that file is an audio driver file. Aparently there is a trojan that infects it, but you will still need to replace it with a real one.

C:\WINDOWS\system32\Drivers\wdmaud.sys <=this one is legit

C:\WINDOWS\system32\wdmaud.sys <=this one is not!

[Merusk]

What Engles said.

Also, when you click the link check the status bar at the bottom of the browser window for where it's connecting to.  When I noticed it was going to 7.7.7.0 I did a google search on a clean machine for "7.7.7.0 virus" and found the solution.  It could be that there's variants out there now redirecting to different sites and using different file names.