5
1
I have a nuts issue with Firefox. Each time I do a search on Google, then right-click a link to open it in a separate tab/window, Firefox stalls for a couple of seconds, then opens some spam/advertisement link instead of the proper page.
- I have run SpyBot, SuperAntiSpyware, CCleaner and my PC is clean.
- I have tried to re-install Firefox and requested to delete all history and data. It did not solve the issue.
- I have deleted the content of my firefox/extensions folder, but it did not help.
- I have AGV anti-virus installed. It even says that the links are safe...
I searched other forums and websites for a solution, but could not find any. I am now posting this question here. Has anyone encountered this issue? How can I fix it?
EDIT
Often, a pop-up from Firefox asks me whether I want to save a file called 's'.
The issue does is not specific to a browser. It also happens with Chrome.
I ran recent versions of Ad-Ware, CCleaner, SpyBot, Emsisoft Anti-Malware, MalwareBytes and SUPERAntiSpyware, but it did not solve the issue.
EDIT 2
I have followed JdeBP's recommendations (obtain the IP addresses automatically via DHCP). I also found a strange entry in my registry which I have deleted. I rebooted, but the problem is still there.
When I perform a ipconfig /displaydns
, a get a long list of entries which seem to correspond to the spam I get. All of them have A (host) record set to 127.0.0.1
.
When I perform ipconfig /flushdns
followed by ipconfig /displaydns
, then entries are still there...
When I perform ipconfig /renew
, I get: No operation can be performed on Local Area Connection while it has its media disconnected
. I am not really sure what that means. I am accessing the Internet via wireless (not ethernet cable). When I switch off the wireless on my PC, I get the same message for Wireless Connection.
I have disabled the Local Area Connection and tried ipconfig /renew
, but it stalls...
EDIT 3
Here is the output of ipconfig /all. I am currently connected to the Internet via Wireless:
Windows IP Configuration
Host Name . . . . . . . . . . . . : NoKidding
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1D-BA-AC-D9-26
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-21-5D-EB-34-A8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::193:2bc9:cbb0:168b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.148(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : vendredi 10 juin 2011 2:10:57
Lease Expires . . . . . . . . . . : samedi 11 juin 2011 2:31:02
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 268443997
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-91-8C-91-00-1D-BA-AC-D9-26
DNS Servers . . . . . . . . . . . : 167.206.245.130
167.206.245.129
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VMware Network Adapter VMnet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ccd8:6bfa:a3a4:7dfb%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : vendredi 10 juin 2011 2:18:29
Lease Expires . . . . . . . . . . : vendredi 10 juin 2011 10:31:02
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.20.254
DHCPv6 IAID . . . . . . . . . . . : 436228182
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-91-8C-91-00-1D-BA-AC-D9-26
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VMware Network Adapter VMnet8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3419:22f2:c13b:e8fa%19(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.132.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : vendredi 10 juin 2011 2:19:04
Lease Expires . . . . . . . . . . : vendredi 10 juin 2011 10:31:04
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.132.254
DHCPv6 IAID . . . . . . . . . . . : 453005398
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-91-8C-91-00-1D-BA-AC-D9-26
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Primary WINS Server . . . . . . . : 192.168.132.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VirtualBox Host-Only Network:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-00-D4-EA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::413a:949e:27db:860c%22(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.134.12(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 503840807
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-91-8C-91-00-1D-BA-AC-D9-26
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.lan:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{8C86257F-65F0-49A9-B3DF-A61CC7F73546}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{A98786DD-7682-4826-88F4-A03BA1D824A5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{A53A0A7E-6A3D-4A72-A11F-30A6322B957C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{FC119556-5E94-4BAB-8451-5D240BF581A5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Apparently the DNS associate to the wireless is 167.206.245.130 which resolves to "vdns2.srv.prnynj.cv.net".
EDIT 4
I have noticed that I did not have a hosts
file. I don't know how I got into that situation. Windows 7 never complained about this.
Some backups of hosts
where there in the directory, including one made by SpyBot. I have created a new hosts file from it and rebooted, but I still face the same issue.
I have tried ipconfig /displaydns
again, and it still displays the problematic entries. These entries are not in my hosts
file:
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...
127.0.0.1 www.zxsex2.info
127.0.0.1 zxsex2.info
127.0.0.1 zyban-zocor-levitra.com
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1 suportevendas.com
127.0.0.1 www.suportevendas.com
# End of entries inserted by Spybot - Search & Destroy
EDIT 5
Sorry, I retract. The problematic entries returned by ipconfig /displaydns
did appear in my hosts file
. So, I started with a fresh one:
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
Here is where it gets REAL crazy. After rebooting my PC, display DNS returns:
Windows IP Configuration
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 28
Time To Live . . . . : 86400
Data Length . . . . . : 16
Section . . . . . . . : Answer
AAAA Record . . . . . : ::1
After going to google, search for some dummy term, then right-click any link to open a page in a new tab, I get the spam. When I perform display DNS again, I get:
Windows IP Configuration
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
clickalmost.org
----------------------------------------
Record Name . . . . . : clickalmost.org
Record Type . . . . . : 1
Time To Live . . . . : 30
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 69.65.49.114
t3.gstatic.com
----------------------------------------
Record Name . . . . . : t3.gstatic.com
Record Type . . . . . : 5
Time To Live . . . . : 28
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : tbn.l.google.com
www.gregorypacks.com
----------------------------------------
Record Name . . . . . : www.gregorypacks.com
Record Type . . . . . : 5
Time To Live . . . . : 1785
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : gregorypacks.com
www.gap-system.org
----------------------------------------
Record Name . . . . . : www.gap-system.org
Record Type . . . . . : 5
Time To Live . . . . : 7185
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : turnbull.mcs.st-and.ac.uk
www.cityofgregory.com
----------------------------------------
Record Name . . . . . : www.cityofgregory.com
Record Type . . . . . : 5
Time To Live . . . . : 3585
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : cityofgregory.com
www.gregorysshoes.com
----------------------------------------
Record Name . . . . . : www.gregorysshoes.com
Record Type . . . . . : 5
Time To Live . . . . : 3585
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : gregorysshoes.com
twitter.com
----------------------------------------
Record Name . . . . . : twitter.com
Record Type . . . . . : 1
Time To Live . . . . : 7
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 199.59.148.10
Record Name . . . . . : twitter.com
Record Type . . . . . : 1
Time To Live . . . . : 7
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 199.59.148.82
Record Name . . . . . : twitter.com
Record Type . . . . . : 1
Time To Live . . . . : 7
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 199.59.149.198
online.wsj.com
----------------------------------------
Record Name . . . . . : online.wsj.com
Record Type . . . . . : 5
Time To Live . . . . : 34
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : online.wsj.akadns.net
www.gregory1.com
----------------------------------------
Record Name . . . . . : www.gregory1.com
Record Type . . . . . : 1
Time To Live . . . . : 14385
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 98.190.238.71
www.utrecsports.org
----------------------------------------
Record Name . . . . . : www.utrecsports.org
Record Type . . . . . : 5
Time To Live . . . . : 3585
Data Length . . . . . : 4
Section . . . . . . . : Answer
CNAME Record . . . . : utrecsports.org
adwords.google.com
----------------------------------------
Record Name . . . . . : adwords.google.com
Record Type . . . . . : 1
Time To Live . . . . : 251
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 72.14.204.112
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 28
Time To Live . . . . : 86400
Data Length . . . . . : 16
Section . . . . . . . : Answer
AAAA Record . . . . . : ::1
www.newadvent.org
----------------------------------------
Record Name . . . . . : www.newadvent.org
Record Type . . . . . : 1
Time To Live . . . . : 3321
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 208.87.26.197
Some stuff is managing to pollute my DNS information just from browsing. And to make sure it was not in Firefox's history, I performed CCleaner before all that.
I start to believe it comes from the net and exploits a weakness in Windows 7 and browsers.
EDIT 6
I have tried to reboot in safe mode with network, then I started Firefox. The problem still happens. I restarted Firefox in safe (i.e., disabling all add-ons etc...). The problem still happens.
My home page is http://www.google.com
. I type KB66. The URL changes to:
http://www.google.com/#sclient=psy&hl=en&site=&source=hp&q=KB66&aq=f&aqi=&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=5014d35bb6efb157&biw=1280&bih=671
I right click on a link called 'www.faucetdirect.com › ... › Kingston Brass Tub and Shower' (for example) to open it in a separate tab (or window). The link in the new tab becomes:
http://7search.com/scripts/validation/v1/validate.aspx?x=dy9ygBqjMxLd%2fx4LgOz5nQ%3d%3d_nO1ntDEYzcueda6yqGuUEeCV6c3Bxc6tmw%2fI%2fM6cQTK3SaB9RpCN6iq7Oi6xnF6w0rps%2b%2bhP2MyCTu9vIpIX4yX3Rbb3DEqizuSnIrOMbXnjc%2bPLs5ynvpAR7ks6T%2b9EdGLnPWbO2Cu7Mv3V1w1MUhZAz6VAxhb3x4jYKaGcSRGjiUq%2bq0gHn2Ztqy2ZO0SJvCokHOYmlvuWGAEsf6xaAZ6sdsUfpzQXggpBWlZYwVIMNbCU9Y%2fhVzEWcKJ6XO4HZrlIhZwXAJ9%2brzRxqtwdegQ8fzHsM1DnhYe0kpgzZi4XCYIHjW%2fg5sf%2brshMYtgq
Sometimes, I get different links to other spam or search web sites.
When I right-click on the 'cached' linked to open content in a separate tab, I get:
http://webcache.googleusercontent.com/search?q=cache:Y5x8Fw4B-OgJ:www.faucetdirect.com/kingston-brass-kb66-px-double-handle-tub-and-shower-with-rough-in-single-function-showerhead-tub-spout-and-porcelain-cross/p1507409+KB66&cd=2&hl=en&ct=clnk&gl=us&source=www.google.com
I followed harrymc's recommendation regarding autoruns, I can't find something suspicious in my startup items.
I have been using this PC both in Europe and in the US and the issue happens in both locations.
P.S.: Yesterday, I also ran all anti-spyware, bot and anti-virus again and 0 issues were found.
For the records
Reformatting my PC from scratch solved the issue. I never thought I would have to go that far. Pffffff.....
Here's an idea: Install wireshark and then try few links on Google. Note the addresses which are used for communication. Some of them will be your ISP's but some will be addresses of infiltrator's servers. Try setting them to 127.0.0.1 in hosts file. See what happens.
– AndrejaKo – 2011-06-08T17:48:52.793@AndrejaKo I have installed WireShark and started to capture traffic on the Microsoft interface. This stuff is hard to read for me, but I found out that some Javascript which may cause my issue is actually returned by 74.125.93.106, a server in Mountain View. I find it hard to believe this might be caused by Google... – Jérôme Verstrynge – 2011-06-10T01:16:59.553
It would help to post the results of
ipconfig /all
. And are you using wired or wireless ? – harrymc – 2011-06-10T06:57:06.6971
@JVerstry Maybe the 1e100.net is used because of one of the reasons listed here?
– AndrejaKo – 2011-06-10T07:18:29.510@AndrejaKo You are probably right about 1e100.net – Jérôme Verstrynge – 2011-06-10T08:22:39.233
@harrymc I just added it to my question – Jérôme Verstrynge – 2011-06-10T08:23:04.303