Page 1 of 1

Google (and other) redirects caused by malware

Posted: Mon Sep 12, 2011 11:18 pm
by Fred
Why google?

Since google is the most visited website, and most users have it set as their startup page, it's the most targeted by hackers who tend to create more and more redirects, that make the users have their nasty pages as the startup page instead of google's.

But google is not the only one. Sometimes Microsoft websites, Antivirus or anti-malware scanners' websites are redirected or just blocked.

This procedure is usually intended to prevent the user from going to websites that could help him to disinfect his machine.

How does the redirect work?

There are several ways to make a domain redirect. The most used is the hosts file. One single line added to this file can make several domains redirect to a specific IP address.

But redirects can also be done through other means, like the DNS or the group policies.

Does UVK show the redirects?

Yes, in the Startup entries and services section and in the log created with the Scan & create log feature, but only the ones in the hosts file.

But UVK provides fixes that disable the redirects through the DNS and the group policies: Clear Hosts and DNS cache and Reset group policies, in the UVK fixes section. The fixes Reset IP, winsock and proxy and Reset IE and internet settings are also recommended in a redirect situation.

The picture below shows a google redirect in the Startup entries and services section:

Image

Note that I've chosen an unsigned Ip, to avoid mess up. In a case like this one, it would be too easy, all you had to do is click Delete entry, and the line in the hosts file that contains the redirect would be deleted, which would slove the problem.

Note that if there are no redirecting/blocking lines in the hosts file, the header <BlockedHosts> will not be shown.

Also note that if you have more than 100 redirects in the hosts file, UVK will only show the first 100 ones, and display a message box (only once) warning you about the number of redirects and asking if you want to reset the hosts file to the defaults. If you answer No, the message box won’t be displayed again.

Remove the redirect using the Automatic anti-malware scans section

This can also be easily done trough the section Automatic antimalware scans.

Select the scans you want to perform, ensure that Automatically delete threats found is checked, click Repair script options, and check the boxes corresponding to the fixes above.

Image

Also check Reboot computer after all done.

Click Start scan(s) and try not to do anything on the machine while the tool works. Usually no user interaction will be needed.

Hopefuly, after all the work is done, the google redirect should be gone along with other possible infections.

Remove the redirection using the Run UVK fixes section

Another even easier way is to paste the following code to the text box in the Run UVK scripts section:

<ResetHostsAndDns>
<FixShortcutsUrlsProtocols>
<ResetGroupPolicy>
<ResetIEAndInternet>
<ResetIPWinsockProxy>
<EmptyBrowsersCache>


Ensure that ALL your internet browsers are closed.
Then just click Run / Fix listed, confirm and let UVK do all the work for you.

Those of you who are techs or forum helpers may find useful to create a UVK script with the code above.

Just remember a UVK script's first line must always be <UVKCommandsScript> or UVK won't run it!

Some more tips:

To view the contents of the hosts file paste the code of the line below in the run bar of the UVK fixes section and hit Enter:

Notepad %SystemDir%\drivers\etc\hosts

To view the DNS settings use this one:

cmd /k ipconfig /displaydns

Re: Google (and other) redirections caused by malware

Posted: Tue Sep 13, 2011 3:54 am
by user24
THis one was really informative

Re: Google (and other) redirects caused by malware

Posted: Sun Dec 25, 2011 9:43 pm
by elohelomg
Damn it Fred, you beat me to it again! haha

Re: Google (and other) redirects caused by malware

Posted: Tue Oct 29, 2013 12:55 pm
by Craig Borten
Yeah, this attack is common nowadays. Whatever software you are installing whether it is freeware or not, there is a chance that it may contain a malware so as to edit the home pages of all of your browser and the new tab pages of chromium based browsers. The only way is to be careful while installing the softwares. Some softwares may have multiple EULA in which one of them is for the other software. Just go through the note before clicking accept or next!


____________________________
Outlook Tech Support
outlookrepairhelp.com

Re: Google (and other) redirects caused by malware

Posted: Wed Oct 30, 2013 2:29 am
by wmmiller
Hi Craig and welcome to the forums. Your right. People need to slow down and look before clicking. I tell people that over and over, but still hear them say they don’t know where things came from. :roll:
Bill