[WARNING] New Google 'n' Gmail Hack Attack

I've been experiencing these same problems as you've described for the past week or so. Have you heard anything else about this? I'd like to get rid of this because 1. it is quite annoying and 2. I'm worried about my security online.

I've seen the same thing.  Google woudn't load.  Juyst got a "0" and I saw that stupid certificate from kitchensinks.n0t, too.  I didn't accept it.  I closed and reopened FireFox after restoring to defaults.  Everything appears OK for the moment.  How do we report somehting like this to Google?  I set up a Google Alert for "kitchensinsks.n0t"  and found your post after I didn't find anything on it myself.

Same thing happening here and its getting annoying. I cant even log onto my blog to blog w/o having to close and reopen everything. what is this sink thing anyway? ANNOYING!!!!!!!!!!!!!!!!!!

I have been getting the EXACT same systems as you.  The 0 in the corner AND the obviously bogus security certificate.

Started experiencing the same thing on my end earlier today. Get a "0" sometimes. Opera warned me that the certificate was self verifying, and that the domains didn't match, and that "kitchensinks.n0t" is not a recognized certificate issuer.

Ran all of my security junk, and I'm thinking this is something to do with Google... not with my computer personally?

No rogue processes, in and out traffic is completely normal, Avira, Spybot, and SuperANTISPYWARE don't pick up anything.

Only thing I installed recently was Flash 10. But I went to the Adobe website "manually" to accomplish that.

So, what in the world is going on?

This was the only page I could find when I did a search for "kithcensinks.n0t" in Yahoo. This behavior has been happening on and off for a couple of days on my computer now. Not sure what to do about it.

I have had the same error, with Gmail for the past week (Oct 14 - 20 2008). I have googled and found one report with this kitchensinks.n0t domain in 2004! Four years ago. Strange. In Usenet i found this: http://groups.google.com/group/Gmail-Help-Logging-In-en/browse_thread/thread/03de13e32dd86571 As there I also have the "0" (zero) appear ramdomly during a google search. WTF? John Robie com.unixen@2007

Got this same crazy thing going on too!  It's been happening for a few days now and like some of the others have said, I haven't accepted the certificate - and so far the only solution seems to be to just re-load the browser.

Also ...  Started to happen yesterday, 10/19/08.  First just  got the page withe the 'zero'  when using  Google, now have this  same  'kitchensinks.nOt'  certificate appearing internittently whenever I attempt to enter or exit  gmail. Re-installed firefox which removed the problem for about six hours and now its back in the new instalation!

Wonder if it  is some kind of 'keystroke copier'-- my browser has been restricted to only using the keyboard for copying, not cut and paste!  

Hey 'mates, possible Fix.

At least, so far, so good.  Neither problem has returned since my last attempt to get rid of this bugger.

Not that that necessarily means anything since it's only been a few days, but 'ere's what I did:

1. FireFox --> Tools --> Options --> Privacy --> Cookies --> Show Cookies --> Remove All Cookies

2. FireFox --> Tools --> Options --> Advanced --> Network --> Cache --> Clear Now.

3. IE --> Tools --> Internet Options --> General --> Temporary Internet Files --> Delete Cookies

4. IE --> Tools --> Internet Options --> General --> Temporary Internet Files --> Delete Files (checkmark delete all offline content)

5. Run Ad-aware 2008 (latest free ver: 7.1.0.11)

6. click update (off the main Ad-aware screen) to purloin newest definitions file.

7. Run *Full Scan*: Ad-Aware --> Scan --> Full Scan.

Note 1: 'natch if any spyware is found checkmark and select "Quarantine".

Note 2: If any cookies are found, checkmark and _delete them all_.

(it has been suggested that this particular google hack may be triggered by a cookie)

Special Note 3: If you're using Win XP (or any windows version) with System Restore ON.

(to see if it's on: START --> Right Click "My Computer" ---> Properties --> System Restore tab)

It has been sugged that it be turned off _before_ running the steps above.  Then turn it back on _after_ completing step 7.

Interesting to note: I read that it's a good idea to turn system restore off before running a clean-sweep of your system, and back on directly afterwards, because apparently *some* malware (executable files injected into your windows directory for example) may be copied into the system "backup".

and so when we clean our system, it'll be fine until the system is "restored" at which point, the malware is copied right back onto our system -by- system restore.

That'd certainly be a circular pain in the posterior.

Anyway, hit irc to look for help and a Mensa mate said he thought it sounded like a browser hijack triggered by a bogus cookie. 

I have no idea whether he's correct or not, but between deleting all caches/all cookies and running the latest ad-aware with the latest definitions file, so far, the kitchensinks.n0t google'n'gmail hack attack hasn't returned.

Knock on Regis Philbin's Head.

[Pathud -Ed]

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

see title. Fix 1 only works temporarily (clearing cache and cookies) the Google'n'Gmail bugger has returned.

Looks like we'll 'ave to wait for the professionals to figure out what the abaddon is going on.

Meantime, more people are popping up on the net reporting this problem and I've posted it over on the lavasoft (ad-aware) forums.

here's a reported Fix (only verified by 1 user, the apparent creator of the fix thus far tho) heretountofor known as Karen's Fix-2

/BEGIN Quote/

UPDATE: Karen's Fix-2 (as above) doesn't work as is, it's sugged to also block the images (instructions above -Ed) from:

https://ssl.google-analytics.com

and

http://www.google-analytics.com/

and please drop into the Lavasoft forum thread to add your voice, the more people that report it, the more likely it is to get their attention, the sooner it will be solved.

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

It looks like more and more people are beginning to report this. So, hopefully, with numbers we will find out a definite solution.

I went almost a day and a half without getting any of the 0's or problem certificates, but I have now gotten them again. None of those fixes suggested above have worked for me.

Fingers crossed. More exposer, more answers, I hope.

I hastily accepted the bad certificate, when I initially encountered the problem- and then deleted it later (I stupidly didn't even pay attention- only figured it out later after viewing my certificates). I can find no evidence of intrusion. But, I still can't load anything related to Google. This is a vexing problem. I can't load g-mail, or even get to Google's homepage at the moment.

I've been having the same problems for a few days over the weekend.  The last day or two, it's almost as if nothing happened.  I looked at the Google Group forum (Gmail help) and saw the post by the Google employee, saying that software on some people's computers is causing the problems, and referred a link.  I followed the link, and saw it was about ad/spyware.  Yet everyone who has run scans on their computers have come up clean.  The way the Google post was worded was annoying, blaming the problem on "software" but not mentioning in the post itself that it may be adware. 

I just want to know what it is, is it dangerous, how do I get rid of it!

The Google post was no help at all, we've already cleared our cache, etc.  I've had problems with Google, Gmail, and Google Groups, so somehow it seems more related to Google than just my own computer...but since we don't know what it is, who knows.

'aye, I hear that, it's frustrating when Google doesn't appear to be taking what is effectively a Google'n'Gmail KILLER seriously. 

If you can't get on google.com you're going to go to another search engine, if you can't get on Gmail, you're going to switch to another email. 

It could be a coincidence caused by some ol spyware remnant that is only half-working (maybe it's s'posed to send us to another search engine for example instead of zero'ing google.com?) but it seems to me this thing is specifically targeting Google with the intent of changing peoples search-engine and email habits.

I would be mighty worried about that if I were google.

Anyway to be fair to google, I'm not sure who to report this TO at Google, or if the right people are even aware as yet.  I think I'll hit the google tech blogs and see if I can't find someone that we can confirm works there to report it directly to.

Meantime, we can help solve the problem by going at it from the spyware/virus side and report it to those companies.

I've added a topic on the Ad-Aware (spyware remover) website, you can help too!

1. click here to Download HiJackThis

it's a quick small (800K) program that will create a text log-file (that will load up onscreen automagically when you run HiJackThis)

2. you can then copy and paste the logfile into the msg thread in the Ad-Aware help message forums, for the pros to analyze.

click here to go to the Kitchensinks.not GoogleKiller thread and paste your logfile.

(you 'ave to create an Ad-Aware forums account but it's quick)

Since this is starting to feel a bit like a GT bunker for people targeted by the kitchensinks.n0t GoogleKiller bomb, I say we turn it into a campfire party while we're waiting for a confirmed fix.

'ello gang, my nickname is Tag and I'm a googleholic.

Well, I've pretty well much exhausted everything interesting about me, so 'ow about a Joke?

Is Windows a Virus No, Windows is not a virus. Here's what viruses do:

1.They replicate quickly - okay, Windows does that.

2.Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that.

3.Viruses will, from time to time, trash your hard disk - okay, Windows does that too.

4.Viruses are usually carried, unknown to the user, along with valuable programs and systems. - Sigh.. Windows does that, too.

5.Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. - Yup, Windows does that, too.

Until now it seems Windows is a virus but there are fundamental differences: Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.

So Windows is not a virus.

It's a bug.

[Pathud]

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

Of course, I am still dealing with the issue. Just for fun I downloaded and ran literally a dozen spyware/antivirus/whatever-is-relevant apps, and I still come up with nothing. Like I said, JUST FOR FUN and all.

Umm, what I really wanted to say was this: the fact that this is happening on multiple web browsers, and across multiple operating platforms (Mac and Win, in peoples reports so far) fills me with some amount of confidence in regards to an local infection on my system.

Also, my ISP is AOL related, it is Netscape (which is owned by AOL). So, add another person to the list of AOL or AOL related ISPs.

I even called google and just punched in a name on their calling tree and talked to someone to see if they are working on this, Gmail guide blue Michelle is supposed to do something but all I got is the old clearing cookies and temp files. I went at gmail through netscape isp and aol and it killed my aol, so I had to reload aol, I also went to gmail with firefox 3.03 and it killed the firefox, so I had to reload that. Fax machines at Google also do not work for me. I wonder what is going on?

Hey Dew, that is encouraging.

Esp in light of the latest theory put forward in the Google Groups Discussion, which suggest that this is an AOL (DNS) hack that's effecting us, and not a hack on our personal systems.

The idea being that AOL's DNS server (at their office) has been hacked, and that's why we're being re-directed to another webpage when we try to go to google.com or gmail.

However if that's the case, shouldn't I 'ave been able to solve the problem by adding google.com to my Win XP hosts file and forcing it to re-direct to the google english homepage?

That's the purpose of the Win hosts file to allow you to block or re-direct websites.

The hosts file _overrides_ all online DNS servers, so if the AOL DNS server was hacked (to direct google and gmail website addresses to a bogus kitchensinks.n0t google.com clone-page for example) then instructing the Win Hosts file to direct all google.com addresses to another actual google website address, should fix the problem, right?

ere's what I did:

Open Windows Explorer

Jump to the Windows/System32/Drivers/etc/ subdirectory.

Click on the file named "Hosts" and open it with Notepad.

(if not using Win XP or the file isn't located there, run a Windows file search for "hosts")

when you double-click on it it'll probably ask you what program to open it with, tell it you'll choose one yourself and select notepad from the dropdown list that appears.

The Hosts file should look something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

(I added the following lines to this hosts text file below that line)

# [Google Inc]

209.85.171.99   www.google.com
209.85.171.99   google.com
209.85.171.99   ssl.google.com
66.249.91.83    gmail.google.com
66.249.91.83    mail.google.com
66.249.91.83    www.gmail.com

209.85.171.99 and 66.249.81.83 are Google.com (international english language) homepages, and so the word "English" appears under the "Google" logo on these pages when you surf to either.

Yet when I added both alternate international google-english language homepage address to the Hosts file (as displayed above) rebooted and jumped to google, I'm _not_ being redirected to the _Google Int English_ homepage.

I'm being taken to a different (allegedly - Ed) google page, because -no- "English" is writ under the logo, as it would be if you typed 209.85.171.99 in manually.

^Raise-Eyebrow.

I also notice another difference, though this one may normal.

This google.com page that loads (and has been loading since this prob began) has 1 line of text advertising underneath the google search bar.  That _doesn't appear_ on the google english international google page.

That may be normal however, google may be advertising on google.com and not at the english int language version page of google.com.

Perhaps someone who DOESN'T have this kitchensinks.n0t problem could let us know if they see a clickable text line of advertising under the google search box at www.google.com?

Twould be appreciated.

In either case, if I've set up the hosts file properly (see above) then the win hosts file re-direct _appears to be being-over-ridden_ by *something*.

It seems to me that would suggest this is probably a browser re-direct/hijack hack.  Either a hidden background program hijacking and re-directing google.com or a registry hack seem more likely.

Anyway, I think we're narrowing it down, and getting closer.

Message To The Fellow Embattled Who Are Encountering The Kitchensinks.n0t Problem:

I'm still the only person who has uploaded a hijackthis logfile to the spyware removal techs at ad-aware.  We need more people and more logs to get their attention and help them help us.

Please click here to go to the Kitchensinks.not GoogleKiller thread at Lavasoft Ad-Aware's help forum, and paste your logfile, instructions on how to do that are there.

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

Well, I posted up my HijackThis log at the topic on Lavasoft. Not much eventful in my log though.

A poisoned DNS at AOL may not be a sufficient explanation. Using OpenDNS or altering your HOSTS file "should" circumvent the problem, if it did indeed lay with AOL.

A rogue process or jacked piece of piggyback software seems unlikely though. What would this be... the first ever cross platform event of that nature?

We should consider that the problem may indeed rest with Google themselves.

Also, nothing malicious appears to actually be taking place. People are just being denied access to Google and its services. There doesn't appear to be anything more to it than that. Which is most strange because, if this was a successful jacking of peoples systems which is basically undetectable by a whole plethora of security software one would think the authors of said jack would do something constructive (as in dangerous) with it.

What was the date of the most recent Microsoft updates versus the date when this issue started becoming a problem? I highly doubt it is that, but you never know.

Finally, for most of us the problem only rears its head intermittently. Which would be somewhat strange behavior for an owned system.

Until someone comes up with something else, I'm eye balling Google for now!

Oops, that last sentiment of mine was not what I wanted to say.

I should have said, I'm eye-balling AOL AND Google for now, or until something else turns up.

I am also having the problem.

Got a 0 for a while but only now do I get a certificate (which I deny) prompt window.

Cant get to Gmail or Google.. I think its a Google or AOL problem myself, I'm also on Netscape (owned by AOL).6

I use AOL. It has worked its way around every change I have made to correct it. Now exiting Firefox, and running CCleaner and ATF Cleaner doesn't make it go away. In the past it has temporary corrected the problem.

I am also noticing when I try to access Firefox > Tools > Privacy > Options > Cookies > view exceptions  that Firefox becomes unresponsive, and on occasion the box "accept third party cookies" has been checked. I uncheck it, and moments later it is checked again. Much of the time I have to use CTRL ALT Del to get out of Firefox.

Anyone have any new info on this? Are Google and AOL doing anything about it? It is most annoying. TIA

I'm using AOL and have had this problem sporadically for the past 4 days. Trying the block images in Firefox described above.

"I am also noticing when I try to access Firefox > Tools > Privacy > Options > Cookies > view exceptions  that Firefox becomes unresponsive"

The same for me. I also have AOL.

SO FAR, the hosts file fix has worked for me.

That will work for about 24 hours, then it comes back. Just wanted to give you a heads-up.

 Hmmmmmmmmmmmm(n) early into day 3 and neither problem has returned.  Longest I've gone yet without that certificate popping up or google "0"'ing.

(Maybe knocking on Regis Philbin's head helped - Ed)

It could be a coincidence, it could yet still return, but if anyone wants to try the steps I've employed, to see if it 'elps:

STEP 0: log off the net, close all browsers and any programs running.

STEP 1 (all users) Clear all of your browsers cookies and caches

1. FireFox --> Tools --> Options --> Privacy --> Cookies --> Show
Cookies --> Remove All Cookies

2. FireFox --> Tools --> Options --> Advanced --> Network --> Cache --> Clear Now.

3. IE --> Tools --> Internet Options --> General --> Temporary Internet Files --> Delete Cookies

4. IE --> Tools --> Internet Options --> General --> Temporary Internet Files --> Delete Files (checkmark delete all offline content)

STEP 2 (for AOL Users)

1. Quick restore AOL

right click on the AOL logo in the tray area of your taskbar (far right hand corner) and click "one-click fixes"

scroll down to "AOL Classic" "Quick Restore" click "fix it for me"

2. Rebuild AOL Adapter

right click on the AOL logo in the tray area of your taskbar (far right hand corner) and click "one-click fixes"

scroll down to "Rebuild AOL Adapter" click "fix it for me"

STEP 3 (all users)

If you've got any google.com bookmarks in any of your browsers, change them from http://www.google.com to http://66.249.91.83/ (google's english international homepage)

STEP 4 (firefox users)

1. install the firefox add-on customizegoogle

2. changes to make to customizegoogle:

firefox --> tools --> customizegoogle options --> web

checkmark remove click tracking

firefox --> tools --> customizegoogle options --> Gmail

checkmark secure (switch to https)

firefox --> tools --> customizegoogle options --> Calendar

checkmark secure (switch to https)

firefox --> tools --> customizegoogle options --> Docs

checkmark secure (switch to https)

firefox --> tools --> customizegoogle options --> Reader

checkmark secure (switch to https)

firefox --> tools --> customizegoogle options --> History

checkmark secure (switch to https)

firefox --> tools --> customizegoogle options --> Privacy

checkmark anonymize the google cookie UID

checkmark don't send any cookies to google analytics

STEP 5 (Windows Users)

Edit your win hosts file (detailed instructions further above in this thread)

short Win XP instructions:

jump to \WINDOWS\system32\drivers\etc

doubleclick "hosts" file.  open with notepad.

add the following lines to the hosts file.

127.0.0.1       localhost <--- this line will likely already be in your hosts file.

209.85.171.99   www.google.com
209.85.171.99   google.com
209.85.171.99   ssl.google.com
66.249.91.83    gmail.google.com
66.249.91.83    mail.google.com
66.249.91.83    www.gmail.com

127.0.0.1       www.google-analytics.com
127.0.0.1       ssl.google-analytics.com
127.0.0.1       adwords.google.com
127.0.0.1       pagead.googlesyndication.com
127.0.0.1       pagead2.googlesyndication.com
127.0.0.1       adservices.google.com
127.0.0.1       imageads.googleadservices.com
127.0.0.1       imageads1.googleadservices.com
127.0.0.1       www.googleadservices.com
127.0.0.1       apps5.oingo.com

note: 127.0.0.1 is the default internal address of your machine, the section above_ over-rides_ DNS lookup so for example anytime www.google-analytics.com is called by any website, it won't load, it'll be routed/re-mapped to your machine's address. 

ALL web addresses remapped to 127.0.0.1 will NO LONGER load in your browser.  It's a way to block web-sites. 

I'm hesitant to suggest blocking google's analytics and other click tracking and ad sites in this manner, it probably isn't having any effect on this fix but since google has been awfully quiet throughout all this, there is some suspicion that something at google may be causing the problem.

Bottom line: the kitchensinks.n0t bugger hasn't returned, it's only fair to include -everything- I 'ave done.  If only because IF something in these steps has solved the problem,  I 'aven't got a clue which particular change it was as yet.

If following all these steps leads to your system likewise becoming free of the kitchensinks bugger, then you can always go back into your hosts file in a week or so, and delete the 127.0.0.1 re-mapping section above.

STEP 6: apply Karen's Fix2 aka

FireFox --> Options --> Content --> Load Images --> Exceptions

block the following:

www.kitchensinks.n0t

https://ssl.google-analytics.com

http://www.google-analytics.com/

STEP 7: after completing steps 1-6, reboot computer.

STEP 8: as a result of STEP 2: quick-restoring AOL and rebuilding the adapter, when you next log on, you will (eventually) be sent a security patch upgrade by AOL, accept and install it.

That's it.

Hope it helps, and 'ere's hoping this fix-set continues to hold.

(Knock harder on Regis Philbin's head - Ed)

[Pathud]

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

am going to try your latest post, Avante Guardian, later on today. You have been so helpful. Thanks much!

and will see what happens now. Thx Avante Guardian....I hope I am as lucky as you.

Now when I try to go to Yahoo, I get something like http://m.www.yahoo.com - there's an "m" there that shouldn't be.  I read on the Google gmail group about a Microsoft security problem (there's a story at http://www.bizjournals.com/kansascity/stories/2008/10/20/daily35.html).  Maybe it's not a Google problem after all. 

I haven't done the update to see if it gets rid of the problem (long story, short version is that I have dial-up so it's not easy to download big files).

Hi Lola!

Don't worry, it's not related to kitchensinks.n0t and not a virus, that's Yahoo's new beta test page. 

Apparently they're testing it out, and sending *some* people there without asking them.

I suspect they have also pro-actively signed some people up for it at some point. 

You know 'ow these big companies work, instead of asking you if you'd like to try out the new layout or service (which would be the sane polite approach) they sign you up for the new layout, then in small words someplace on the page, leave a note that you can easily miss that says "if you don't want to try the new layoud, click here".

Here's a letter (allegedly) from the yahoo on the subject (reprinted in the mozilla forums)

Wednesday, October 22, 2008 6:51:33 PM
To:Scott Meyers

Hello,

Thank you for writing to Yahoo! Homepage.

I understand that you are getting redirected to the test version of new Yahoo! Homepage, "m.www.yahoo.com".

In line with Yahoo!'s standard procedure, we randomly expose test pages to a fraction of our users and appreciate your patience during this process.

Testing is an ongoing process across the Yahoo! network because of our desire to improve our products and serve you better.

At this time, there is no option to return to the previous version. I apologize for the inconvenience caused.

Yahoo! homepage is undergoing changes in appearance, functionality, and service.

Now, on the left side of the page under My Applications, you can preview your Yahoo!, AOL, or Gmail email accounts, check out movies & local events, see your horoscope and weather, or track your stock portfolios at a quick glance.

On the right side of the page under Yahoo! Services are quick links to your favorite Yahoo! services. Click the service you want, and we'll take you there.

If you have additional questions regarding this matter, please reply to this message and I will gladly assist you.

My goal is your complete customer satisfaction and I want to ensure that your concerns are completely resolved. If there is any reason you feel your concerns were not satisfied, please reply to this email and I will work hard to resolve your issue.

Thank you again for contacting Yahoo! Homepage.

Regards,

Farley

So that would appear to confirm that it's Yahoo's doing.  You got selected as a special random person.  Oh lucky you! heh.

That thread with the letter from yahoo is located ((here))

Anyway, I went looking for how to help fix this and found this from Answers.com:

how to remove the forced re-direct to the new beta yahoo test site http://m.www.yahoo.com :

Answerer 3

see this thread at Answers.com for more details: http://answers.yahoo.com/question/index?qid=20081017092728AA50hd8

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

re: Kitchensinks.not

Still running clean of the kitchensinks.n0t bugger 'ere.  Looks like it might be gone for good. YAY!

For those wondering, after applying my fixes above, although I've changed my default google page to the english international google page, I stillI surf to www.google.com to check if it "0"'s and so far, it hasn't, www.google.com loads properly, and the kitchensinks.n0t certificate has not returned at gmail either.

'ere's hoping this Fix set continues to hold.

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

I have had the same problem with Google and Google mail, on and off. I use AOL on the Mac (OS X), and the problem had appeared in various browsers (including Opera and iCab).

However, when I replaced www.google.com with 66.249.91.83 the problem went away! I did nothing else, just went to the 66.249.91.83 site, and to "mail" from there.

Hope this helps...

After doing the 3 FIX's!  I give up with this. I am now resorting to NOT using anything Google. Forwarded all my G Mail to hotmail, not using Google Search, Docs, or Calendar.  I cannot believe Google or AOL for that matter has done nothing about this.  I will keep checking back here for updates.  Thanks!

Coming up on Day 4 and Fix3 is still working here.

I would sugg that after applying Fix3 you ONLY use Firefox to surf the web for the next 2 weeks.

Why? 2 reasons.

1. The main reason:

If it's an AOL DNS poison-cache hack (the leading theory which was suggested by Joshua in Google Groups) then it's going to keep re-infecting us whenever we surf to www.google.com

that is, UNTIL they patch their DNS servers at AOL offices.

Should be done by now, but probably will take a couple of weeks to flush all their Nameservers out.

2. Fix3 has extra kitchensinks.n0t security safeguards in it that specifically work with Firefox. 

The customizegoogle Firefox add-on for example, (as configured in Fix3) forces us to automagically log in to all google services (gmail, docs, news, et cetera) in secure encrypted mode.  It auto-switches us to the google "https" login pages.

The internal AOL browser and IE don't have that extra layer of security, so I'd stay out of both of them for the next 2 weeks.

Consider it your IE vacation, if you're an IE addict.

---

SPECIAL NOTE: If you apply Fix3 and you get kitchensinked in Firefox

it really should NOT happen.

Double check to make sure that the changes you made are all still applied/are actually working.

example 1.

in Firefox you can't be seeing the "0" when you surf to www.google.com, because you shouldn't be surfing to www.google.com anymore.

(at least for the next few weeks until someone at AOL or Google answers definitively with what the problem is, we still don't have any official word from either of them)

You should have changed your bookmarks and be surfing to google's alternative english page http://66.249.91.83 where the word "english" appears under the google logo, to indicate that.

example 2. when you surf to gmail you should be seeing the address start with https (and not http)

If  (in Firefox) you're seeing the "0" or when you surf to gmail or google docs et cetera you're _not_ being sent to the "https://" page, it means that you've surfed to or have been re-directed back to www.google.com

(which you should try to stay off of for the next couple of weeks, because that's the kitchensinks.n0t injection point)

and you have become re-infected.

In which case you'll need to apply Fix3 again.

Anyway, coming up on the beginning of Day 4 and Fix3 is still working here.

The Avante Guardian. ---- Einstein's Hair^2 //Approved.

there is a temporary fix:m http://hostwoot.com/forums/showthread.php?p=826#post826

I have found the correct hosts file, I add the addresses in FIX 3. However; it will not allow me to save it as a hosts file - it saves it as a txt document not a file.  When I try to change the name, it will not allow me to, as it says the file already exists with that name. 

How do I do this?

I think this is why kitchensinks came back, because I was not able to modify the original hosts file.

TIA

MSN live search! I started using Live Search instead of Google. Just now did a search in Live and the 0 showed up on the page.

Any updates on this?

Open Windows Exploer.

if using Win XP, the hosts file should be located in \WINDOWS\system32\drivers\etc

double-click on "hosts" (it should not have any file extension like .txt it should just read "hosts")

choose program to open it with, select notepad.

make changes to this file.

on the notepad "file" menu select save.

If you can't save the changes you made, then something is interfering.

Some spyware-removal programs like spybot search and destroy write-protect/lock the win hosts file so changes can't be made to it.

Best way to find out if any of your virus or spyware programs are locking the hosts file (And how to unlock it) is to go to yahoo.com and run a search for your spyware or virus program along with the hosts file.

for example, go to search.yahoo.com

and run a search for

spybot+win hosts file

or

avg+win hosts file

or whatever your malware scanner programs may be.

The results on the first page should give you an answer pertaining to your specific malware remover program.

for example, I ran that search for spybot+win hosts file, and up came up these answers in the page 1 yahoo search results:

how to lock the win hosts file:

http://malektips.com/spybot_search_and_destroy_0021.html

how to un-lock the win hosts file:

http://malektips.com/spybot_search_and_destroy_0030.html