Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Browser automatically redirecting to an unknown URL from Google search


25 Mar 2011   #1

Win 7 Home Basic x64
 
 
Browser automatically redirecting to an unknown URL from Google search

Hi,

For the past 2 weeks or so, all Google search results from my computer are getting automatically redirected to this unknown URL: http://www.nohginrotgea.com/ and then to http://www.clicks123.com (something similar to that). If I hit the back button and again click on the particular Google result, it will repeat the process. On hitting the back button and the result for a third time, everything becomes normal and the browser goes to the proper website.

Google does not provide any info on this. Neither has it been mentioned anywhere in this forum. Can you please help? I'm pasting the relevant link when I tried searching for 'advantage of write back over write through':

http://www.nohginrotgea.com/search.php?q=advantage%2Bof%2Bwrite%2Bback%2Bover%2Bwrite%2Bthrough&n=1301057908

Thanks.

Edit: This occurs with all the browsers on my computer:
Google Chrome, IE 9, Firefox 3.6.15, Flock 2.6.2

My System SpecsSystem Spec
.

25 Mar 2011   #2

Windows 7 Ultimate x64 SP1
 
 

Quote   Quote: Originally Posted by aspwin7 View Post
Hi,

For the past 2 weeks or so, all Google search results from my computer are getting automatically redirected to this unknown URL: http://www.nohginrotgea.com/ and then to http://www.clicks123.com (something similar to that). If I hit the back button and again click on the particular Google result, it will repeat the process. On hitting the back button and the result for a third time, everything becomes normal and the browser goes to the proper website.

Google does not provide any info on this. Neither has it been mentioned anywhere in this forum. Can you please help? I'm pasting the relevant link when I tried searching for 'advantage of write back over write through':

http://www.nohginrotgea.com/search.php?q=advantage%2Bof%2Bwrite%2Bback%2Bover%2Bwrite%2Bthrough&n=1301057908

Thanks.

Edit: This occurs with all the browsers on my computer:
Google Chrome, IE 9, Firefox 3.6.15, Flock 2.6.2

Hi and welcome to SF!
I think it's time to download, install, update a run a full scan with http://www.malwarebytes.org/mbam.php
Let us know the results!
My System SpecsSystem Spec
25 Mar 2011   #3

Windows 7 x86/x64, Server 2008r2, Web Server 2008
 
 

It is a classic browser hijack. It can happen to the best of us. But as Wallonn7 said try running Malwarebytes, but I have to add one thing I would suggest running it in safemode. Just in case they hijack has effected system files.
My System SpecsSystem Spec
.


25 Mar 2011   #4

Windows 7 Ultimate x64 SP1
 
 

Quote   Quote: Originally Posted by mckillwashere View Post
It is a classic browser hijack. It can happen to the best of us. But as Wallonn7 said try running Malwarebytes, but I have to add one thing I would suggest running it in safemode. Just in case they hijack has effected system files.

Thanks for adding!
My System SpecsSystem Spec
25 Mar 2011   #5

 

Tools / Internet Options / Connections Tab / Lan Settings (Button) / Remove Proxy settings on the bottom.
C:\Windows\System32\drivers\etc\hosts (open with notepad)
standard host file:
Code:
# 127.0.0.1       localhost
My System SpecsSystem Spec
25 Mar 2011   #6

windows 7 home premium 64 bit
 
 

Quote   Quote: Originally Posted by Wallonn7 View Post
Quote   Quote: Originally Posted by aspwin7 View Post
Hi,

For the past 2 weeks or so, all Google search results from my computer are getting automatically redirected to this unknown URL: http://www.nohginrotgea.com/ and then to http://www.clicks123.com (something similar to that). If I hit the back button and again click on the particular Google result, it will repeat the process. On hitting the back button and the result for a third time, everything becomes normal and the browser goes to the proper website.

Google does not provide any info on this. Neither has it been mentioned anywhere in this forum. Can you please help? I'm pasting the relevant link when I tried searching for 'advantage of write back over write through':

http://www.nohginrotgea.com/search.php?q=advantage%2Bof%2Bwrite%2Bback%2Bover%2Bwrite%2Bthrough&n=1301057908

Thanks.

Edit: This occurs with all the browsers on my computer:
Google Chrome, IE 9, Firefox 3.6.15, Flock 2.6.2
Hi and welcome to SF!
I think it's time to download, install, update a run a full scan with Malwarebytes' Anti-Malware: Malwarebytes
Let us know the results!
another great piece of software I use is SuperAntispyware (free edition) or if all fails "Norton Power eraser" (this is free to download and use)
My System SpecsSystem Spec
25 Mar 2011   #7

Win 7 Home Basic x64
 
 

Quote   Quote: Originally Posted by Wallonn7 View Post
Hi and welcome to SF!
I think it's time to download, install, update a run a full scan with Malwarebytes' Anti-Malware: Malwarebytes
Let us know the results!
Hi,
Thank you for your generous support.
Installed Malwarebytes and ran it from safe mode. Took a while to complete the scan (~1 hour+), but was effective. Even diagnosed a few harmless files to contain malware.
+1 rep

Quote   Quote: Originally Posted by mckillwashere View Post
It is a classic browser hijack. It can happen to the best of us. But as Wallonn7 said try running Malwarebytes, but I have to add one thing I would suggest running it in safemode. Just in case they hijack has effected system files.
Yup. Did that. Thanks.
+1 rep

Quote   Quote: Originally Posted by brady View Post
Tools / Internet Options / Connections Tab / Lan Settings (Button) / Remove Proxy settings on the bottom.
C:\Windows\System32\drivers\etc\hosts (open with notepad)
standard host file:
Code:
# 127.0.0.1       localhost
One of the infected registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones)

Guess it has something to do with what you said. Thanks!
+1 rep

Quote   Quote: Originally Posted by stephen500 View Post
another great piece of software I use is SuperAntispyware (free edition) or if all fails "Norton Power eraser" (this is free to download and use)
Thanks to you too. Might come in handy later.
+1 rep
My System SpecsSystem Spec
26 Mar 2011   #8

Win 7 Home Basic x64
 
 

Hi everyone,

It has made a wonderful return.

I searched for a solution and installed Safe Browsing Tool | WOT (Web of Trust) addon on IE. Subsequently, this addon gave an alert and redirected me to their forum- nohginrotgea.com | WOT Reputation Scorecard | WOT (Web of Trust)

Review- http://www.mywot.com/en/forum/8429-n...-com-stay-away

1. The site causing the trouble- www.goingonearth.com Please do not visit this website!!

2. It is reported to contain rootkit

3. Nohginrotgea is an anagram of goingonearth

4. If i type goingonearth in the address bar, the URL automatically changes to nohgintorea as I type the alphabet 'n' in goingonearth. Clear indication of trouble!

5. If I try to do a Google search for 'goingonearth', Google autocomplete shows 'goingonearth removal' and other suggestions, but I cannot go to any of these URLs. The search just does not occur.

If you have some info on how to remove this, please reply. I will post what works for me once I get it out of the system.
My System SpecsSystem Spec
26 Mar 2011   #9
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Flush the bad DNS cache and restore MS's Hosts files
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop. Right click to run as Administrator. Your computer will reboot itself.

Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Now, rescan with Malwarebytes'.

* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.
My System SpecsSystem Spec
26 Mar 2011   #10

Win 7 Home Basic x64
 
 

Quote   Quote: Originally Posted by Jacee View Post
Flush the bad DNS cache and restore MS's Hosts files
Copy and paste these lines in Note pad.
Hi,
Thanks for the reply. Please guide me through further steps.

Here is what I did:

1) To flush DNS: Opened command prompt with admin privileges and ran ipconfig /flushdns
2) Restored hosts file in system32 and SysWow64 with this code from MS website:
Code:
 
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
# localhost name resolution is handle within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
3) Ran flush.bat as admin. System restarted.
4) Downloaded TFC, ran as admin and restarted the system.
5) Performed a quick scan using MalwareBytes.

Here is the log file:
Code:
 
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6169
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
27-03-2011 1:26:19 AM
mbam-log-2011-03-27 (01-26-19).txt
Scan type: Quick scan
Objects scanned: 183590
Time elapsed: 4 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Edit: I cannot see the hosts file in system32 folder even though 'Show hidden files' is selected.
My System SpecsSystem Spec
Reply

 Browser automatically redirecting to an unknown URL from Google search




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:33 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33