Google (and other) redirects caused by malware

Post tutorials and script examples in this forum.
Forum rules
We have no special rules for UVK forums. Just try to be polite and clear in your posts.
Please don't post spam in this forum. Spammers will be banned by IP, e-mail and username.
We reserve the right to delete all posts and ban all users we consider not having respected these rules without warning.
Fred
Site Admin
Posts: 1971
Joined: Sat Jul 30, 2011 12:05 pm
Location: Red coast, France
Contact:

Google (and other) redirects caused by malware

Postby Fred » Mon Sep 12, 2011 11:18 pm

Why google?

Since google is the most visited website, and most users have it set as their startup page, it's the most targeted by hackers who tend to create more and more redirects, that make the users have their nasty pages as the startup page instead of google's.

But google is not the only one. Sometimes Microsoft websites, Antivirus or anti-malware scanners' websites are redirected or just blocked.

This procedure is usually intended to prevent the user from going to websites that could help him to disinfect his machine.

How does the redirect work?

There are several ways to make a domain redirect. The most used is the hosts file. One single line added to this file can make several domains redirect to a specific IP address.

But redirects can also be done through other means, like the DNS or the group policies.

Does UVK show the redirects?

Yes, in the Startup entries and services section and in the log created with the Scan & create log feature, but only the ones in the hosts file.

But UVK provides fixes that disable the redirects through the DNS and the group policies: Clear Hosts and DNS cache and Reset group policies, in the UVK fixes section. The fixes Reset IP, winsock and proxy and Reset IE and internet settings are also recommended in a redirect situation.

The picture below shows a google redirect in the Startup entries and services section:

Image

Note that I've chosen an unsigned Ip, to avoid mess up. In a case like this one, it would be too easy, all you had to do is click Delete entry, and the line in the hosts file that contains the redirect would be deleted, which would slove the problem.

Note that if there are no redirecting/blocking lines in the hosts file, the header <BlockedHosts> will not be shown.

Also note that if you have more than 100 redirects in the hosts file, UVK will only show the first 100 ones, and display a message box (only once) warning you about the number of redirects and asking if you want to reset the hosts file to the defaults. If you answer No, the message box won’t be displayed again.

Remove the redirect using the Automatic anti-malware scans section

This can also be easily done trough the section Automatic antimalware scans.

Select the scans you want to perform, ensure that Automatically delete threats found is checked, click Repair script options, and check the boxes corresponding to the fixes above.

Image

Also check Reboot computer after all done.

Click Start scan(s) and try not to do anything on the machine while the tool works. Usually no user interaction will be needed.

Hopefuly, after all the work is done, the google redirect should be gone along with other possible infections.

Remove the redirection using the Run UVK fixes section

Another even easier way is to paste the following code to the text box in the Run UVK scripts section:

<ResetHostsAndDns>
<FixShortcutsUrlsProtocols>
<ResetGroupPolicy>
<ResetIEAndInternet>
<ResetIPWinsockProxy>
<EmptyBrowsersCache>


Ensure that ALL your internet browsers are closed.
Then just click Run / Fix listed, confirm and let UVK do all the work for you.

Those of you who are techs or forum helpers may find useful to create a UVK script with the code above.

Just remember a UVK script's first line must always be <UVKCommandsScript> or UVK won't run it!

Some more tips:

To view the contents of the hosts file paste the code of the line below in the run bar of the UVK fixes section and hit Enter:

Notepad %SystemDir%\drivers\etc\hosts

To view the DNS settings use this one:

cmd /k ipconfig /displaydns
Attachments
rsoptions.jpg
gredir.jpg
What is the hardest thing to develop? A good application? A good website? Nope. A good reputation.

Fred

user24
Posts: 8
Joined: Sun Sep 11, 2011 3:36 am

Re: Google (and other) redirections caused by malware

Postby user24 » Tue Sep 13, 2011 3:54 am

THis one was really informative

elohelomg
Posts: 7
Joined: Sun Dec 25, 2011 10:15 am

Re: Google (and other) redirects caused by malware

Postby elohelomg » Sun Dec 25, 2011 9:43 pm

Damn it Fred, you beat me to it again! haha

Craig Borten
Posts: 1
Joined: Tue Oct 29, 2013 6:25 am

Re: Google (and other) redirects caused by malware

Postby Craig Borten » Tue Oct 29, 2013 12:55 pm

Yeah, this attack is common nowadays. Whatever software you are installing whether it is freeware or not, there is a chance that it may contain a malware so as to edit the home pages of all of your browser and the new tab pages of chromium based browsers. The only way is to be careful while installing the softwares. Some softwares may have multiple EULA in which one of them is for the other software. Just go through the note before clicking accept or next!


____________________________
Outlook Tech Support
outlookrepairhelp.com

wmmiller
Posts: 969
Joined: Fri Dec 07, 2012 6:02 am
Location: Minnesota, USA

Re: Google (and other) redirects caused by malware

Postby wmmiller » Wed Oct 30, 2013 2:29 am

Hi Craig and welcome to the forums. Your right. People need to slow down and look before clicking. I tell people that over and over, but still hear them say they don’t know where things came from. :roll:
Bill
“Be polite, be professional, but have a plan to kill everybody you meet.” ―James Mattis


Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 1 guest

cron