I was 45 minutes from leaving for the airport, moving stuff to my laptop, and tying up loose ends before traveling to Affiliate Convention. The last thing I needed was a computer problem.
Update 12/8 – I just got back, and it’s not fixed! Please see the bottom of this post where I’ll continue to add notes about resolution, or so see if I give up 😉
Update 12/8 – all fixed (apparently)
I did a Google site: search for an item at SearchEnginewatch.com to send to a client, but when I clicked the result, instead of the article, I ended up at a different site entirely. Huh?
I hit the “back” button, tried the same SERP listing, and got a different page, almost as if it was randomized. Then I did a Google search for “dog food”, and from the the listings, 8 out of 10 results took me somewhere other than my intended destination. Something was REALLY wrong.
That’s when it dawned on me that about 10 minutes earlier, I had a 20 – 30 second lockup while visiting some other website (No, I don’t know which), and my Winpatrol warning went off, asking me, “Do you want to add this item to your Windows Startup?” Although I said “No” apparently something slipped by, and my Firefox was screwed.
Running out of time before leaving, I opened Internet Explorer, assuming it would be fine. Did a site: search at Google, and my SERPS had been hijacked in IE too.
I began running Malware Bytes, a process that would take a couple of hours, and used my laptop to Tweet out a message, where @DavidKyle replied with a link to “Hijack This” which allows you to see registry additions.
After spending 10 minutes in Hijack This checking boxes for things I KNEW things were fine, I added them to the “ignore” list, and was left with a couple dozen items to examine, but this was right at the top –
I browsed to my registry path, and yep, there it was, an IP address entered for proxy use.
In case you don’t know, a proxy allows you to surf the web by going through their IP address. Reasons for CHOOSING to use a proxy vary, but in this case, it looked like the owner of the proxy IP was forcing me to go elsewhere, to other websites.
I looked up thje owner of the IP address at Domain Tools, and it turned out to be owned by the University of Washington. Great – some bored kid, using the schoos resouirces to deliver who knows what sort of crap to my PC.
I decided to let Malware Bytes continue to run rather than make any attempt at fixing it, and I left for the airport, dwelling on it all the way there.
As soon as I made it past security, I logged in remotely to see if the Malware Byte scan had finished, and it hadn’t. Not only that, but it hadn’t found anything out of the norm, either.
So, rather than use HiJack This to “fix” the problem by removing the registry entry, I decided to open Internet Explorer and went to the Proxy settings, where I saw the offending entry.
The box was NOT checked to use a Proxy, however, I could see the offending IP in the grayed out section.
All I had to do was check the box, delete the IP and port entries, hit OK, and then UNcheck the box again. I did a quick search at Google, and the problem was gone – Nice.
I can’t say for sure that this fixed everything, and I’ll likely have to get into Firefox and do the same thing, but I’ll bet dollars to donuts that’s it.
I was running IE8 and FF3, both patched with the absolute latest security fixes. I have a firewall, AntiVirus, and a startup protector that SHOULD have prevented this problem. Apparently, we’re not as safe as we like to think.
I’m writing this on the plane, but I’ll post it with screen shots when I get in later today – (right after I see if proxyaffiliatemarketing.com is available for registration 😉
*Update – 12/07 8am
After returning to Portland home and getting back to work this morning, my clicks into SERPS were still not coming up correctly `100% of the time, so I ran “Hijack This” again, and removed the offending entries that way. I’m sure I might have been able to solve it with enough time, but I really don’t have it to spare. All seems AOK now.
*Update – 12/07 noon
Back in serps after email catchup, and.. Agghh – it’s back. My registry seems clean, the Hijack This logs still show clean, but I’m still being redirected about 10% of the time, even after a reboot.
To be clear, here’s what I’ve done:
- Removed the obvious problem using Hijack This
- Manually verified removal from the registry
- Found over a dozen places undergoing troubleshooting
- Found one sales pitch disguised as a solution at Ezine Articles
- Using Google Wonder Wheel and Twitter Search but still found nothing concrete
to be continued…
Thanks to my Twitter search, I found someone who says below that Combofix worked for them, so I tried it from the only authorized US source for Combofix . Although the entire process tok more than two hours to run, in the end, I came out clean, and today I’m back to work. Hooray!