I ran into a troublesome problem with a web browser redirect. All services were fine and browsing worked without issue except for Google and Bing. These two sites, and a couple of others I later discovered, would redirect to either a survey web page or one displaying “404 not found nginx”. Netstat interestingly showed within seconds of logon about twelve port 80 ”established” connections to remote sites, but quickly switched to a consistent three: 18.104.22.168, 22.214.171.124, 126.96.36.199. This obviously indicated either tampering with DNS or a proxy server.
My first thought was the Hosts file which upon inspection revealed it had bean cleared and the attributes changed to Read Only, Hidden, and System file. I reset the attributes with “attrib –R –A –S -H “, copied the contents of another host file which is really just comments, and ran “ipconfig /flushdns”. (For those unaware Notepad must be opened using elevated privileges if Vista or Win7). This made no difference whatsoever.
Googling suggested this was common with hacked routers, but this was only one PC on the network, and other suggestions were Malwarebytes, TDSSKiller, Gmer, HitMan Pro, and others. Trying several of these found nothing. I reverted back to my original thinking and discovered the Hosts file had indeed been modified. There were about 100 empty lines and then below that Malware had added about 30 malicious entries. Clearing these resolved the problem.
Such a simple hack, but easily overlooked, and surprisingly missed by the common Malware tools.
Comments on: "Google Malware Redirect" (9)
you hit the point man, thanks a lot.
After many different malware/virus scans and much forum searching, this was the solution that worked. Well done!
Many thanks for your note. I spent 4 hours to find it, and after reading it, 1 minute to solve the problem 🙂
Mant thanks. I had to take ownersheep and change access permisions first.
I recently got the redirect, however it was able to breach my router and change DNS settings. Why? I never changed he default password! There are various versions of this thing I believe so it’s best to just lock down your entire network and individual PC’s with Real-Time Anti-Virus/Malware/Spyware protection, as well as changing the default router login and encrypting your local network. That’s about as good as you can do.
Most of the systems I have seen infected had anti-virus software installed and current, as well as all Microsoft updates. I know at least in 2 cases the virus came from an infected web site, which caused a popup and the user knowing or un-knowing, approved the installation based on the warning in the popup message. Many of these messages are intended to look like Windows warning messages.
As for one’s router, it is a given that the default password should be changed, ICMP WAN requests (pings) disabled, and UPnP disabled.
Thank You for posting this fix. I have literally been working on this problem for 2 weeks and thought I could fix it, only to be disappointed over and over again. God Bless You.
Wonderful, what a web site it is! Thiss web site provides valuable facts to us, keep it up.