My sister called me today. They have their web browser home page set up for http://www.google.ca - we are Canadian, eh! :-). Anyway when starting up their browser, they would automatically be redirected to http://theresa.ca/, on online dating site. This would also happen when clicking on the Home button.
So I went through the usual procedures to remove this hijack act. First using HijackThis- http://www.merijn.org/programs.php or direct download - http://216.180.233.162/~merijn/files/HijackThis.exe.
HijackThis is an adware program where you have to know what you are doing since its a program that doesn't automatically delete any adware, basically it just shows you what is working in the background and starting up on your computer. You have to decide for yourself what to disable or not.
I don't consider myself an expert but I know of a few things to look for plus what I don't recognize I would just do an online search. But this time there was nothing unusual working in the background.
My next instinct was to check the HOST file. A relic left over from the past. A internet address is actually a series of numbers, but we use names because they are easier to remember. So when you go online the first thing your computer has to do is convert the web address name to a number.
It usually has to go on the internet to that. But it is possible to have it done on your computer through the host file. its a plain text file stored on your computer.
It has no extension so when you double click on it, it will ask you to open it with what program?, just choose notepad.
Unless you altered it or something else has, it should basically look like the following.
# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack
#
# This file contains the mappings of I.P. addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The I.P. address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
It is supposed to be like an address book on your computer and can be used to speed up your internet access. (don't expect any miracles, by-the-way).
Using the example above - 102.54.94.97 rhino.acme.com - if you wanted to go to www.rhino.acme.com, your computer would have to go online, access the DNS server, find the IP number first before going to that address. By having it on your computer in the HOST file, it already has quick access to the ip address, in this case 102.54.94.97.
One less step it has to take, slight speed increase to you.
This file can also be used to block websites and ads. For example adding the following line can a block some of those ads you see coming from Google:
127.0.0.1 pagead2.googlesyndication.com
so it would look like this:
127.0.0.1 localhost
127.0.0.1 pagead2.googlesyndication.com
Its usually recommended not to delete or alter the first line which simply refers to your own system. Unfortunately, adware, spyware and some virui can also use this file to their advantage by blocking you ability to update your antivirus, for example. Or, by sending you to one place when you want to go another.
HOST info:
http://www.hostsfile.info/hosts_file_tutorial.html
http://en.wikipedia.org/wiki/Hosts_file
http://www.mvps.org/winhelp2002/hosts.htm
http://accs-net.com/hosts/what_is_hosts.html
http://www.mvps.org/winhelp2002/hostsfaq.htm
Anyway, back to my problem, their where no entries in the host file on my sisters computer. Of course, hijackers are getting more clever about hiding their intrusive actions.
So back to the browser I tried just typing www.google.ca and it went through no problem. I tried a number of other addresses with the same result, again, no problem. It only seemed to affect the Home page.
So I went to the internet properties: either open up Internet Explorer and click on the Tools menu and then Internet Options or go through control panel.
One of the first options you see there is for setting the home page. I was going to type in a different home page when I noticed something odd. The home page wasn't set at http://www.google.ca but http://www.googles.ca, with a s at the end. By typing http://www.googles.ca you automatically get redirected to http://theresa.ca/. Just getting rid of the s at the end of googles fixed the problem.
There didn't seem to be any spyware or adware involved so I'm assuming that it was because of some web site they went to. Unfortunately, that is all it takes to get your computer infected these days.