First off, I'm a n00b. Hi, great site, I'm impressed!
Okay, more fun for you guys here. I'm a victim of the Google redirect as well. When I'm being redirected, the title bar says "Refresh Page". This affects the domains listed above and more, of course, but the main two that a considerable bulk of PeachyForum's links point to are kinghost and freepornofreeporn.com.
In addition to this, some of the domains sometimes redirect me to spoofed TGPs whose URLs are indicative of product searches and whose links take you to product websites.
For instance, http://www.wannawatch.com/hosted/index.php?ws/kramerika/barefootmaniacs101 takes me to Google searches sometimes, and spoofed TGPs other times. I just tested it, and it took me to http://marketingrealsearch.com/search.php?q=adult%20friend%20finder, the title bar said "Bunny Teens - 31 Fresh Hot Teen Girls Every Day!" and the page displayed was exactly like http://www.bunnyteens.com might be. But, of course, every thumb linked to http://marketingrealsearch.com/click.php?q=adult%20friend%20finder&PHPSESSID=98dad4d8ab055b066655f80917b7ce32. It's also recently taken me to a spoof of http://www.teenax.com/, and the real TeenAx has been redesigned recently -- the spoof showed the old layout.
I've also had Windows Picture and Fax Viewer open up during sessions to try and access "xxx[1].wmf", but I never quite got my head around the whole WMF thing.
In addition to *this*, some domains sometimes take me to one certain fake spyware advert from back in the day, the type that claims it's reading your memory and your desktop and tells you what your ISP and browser are. I know some domains just do that if they've been bought by sly evildoers, but there's clearly spyware or a hijacker of some sort somewhere, and it's getting hard for me to tell what's being hijacked and what's just not there anymore.
Now for solution info. I'm running XP with SP2, and browsing with IE6 (yeah, I know...Firefox...I'm getting round to it!). I use Norton Systemworks 2004 and have Antivirus Auto-Protect and Internet Security enabled most of the time. I check for Spyware using Spybot S&D and have its Resident running, have been removing dodgy HijackThis entries for a while now, and on the advice of this thread now also have ewido. However on running Spybot, ewido, Antivirus and Hijackthis in safe mode and rebooting the problem still occurs.
I was interested in the idea of it being the HOSTS file, but "hosts" in c:\windows\ is completely empty. Is there any way a spyware HOSTS file could have been set up somewhere else and Windows be redirected to use that one instead? Is there a registry entry that tells Windows the path of the HOSTS file? Does anybody know what it is?
Sorry to drag this topic back into the open, but I'm really trying a lot of things here and nothing seems to be working. I can post a HijackThis log if you think it's be of any use...
Please help, I'd love normal browsing to resume!