Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Spyware redirec url

Experts, we have a problem, when I go to www.yahoo.com another web page comes up, any ideas of what I can do? I tried cwshredder but did not work, any ideas?
0
mputnam31
Asked:
mputnam31
  • 8
  • 7
  • 6
  • +1
1 Solution
 
r-kCommented:
Check your "hosts" file. It is a file named "hosts" in the folder "C:\WINDOWS\SYSTEM32\DRIVERS\ETC" (assuming you have XP)
Open this file with Notepad, and if it has any entries other than

"127.0.0.1       localhost"

then first make a copy of the file under a new name, then edit "hosts" and delete evrything but that one line.

Then reboot and see if that fixed it.

If not, or if the file was already OK, then do the folowing:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
0
 
kevinf40Commented:
Hi

It is also worth ensuring you have up-to date AV and anti-spyware software installed and running on your machine.

Be aware that there are sometime legitimate entries in the hosts file other than for local host - so if you have other entries they could be there for a reason - e.g. some legacy apps use the host file.  This isn't very common, but worth being aware of.

cheers

Kevin
0
 
pyroman1Commented:
Perform the steps here, http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html, and it will fix 99% of spyware/malware problems.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
mputnam31Author Commented:
Analyzed.  Now what?  :)

http://hijackthis.de/#anl
0
 
r-kCommented:
I think that is the wrong link. You have to click on "Save Analysis" at the bottom of that page, then post a link to that final saved page.
0
 
pyroman1Commented:
Did you perform all of the steps on the Geeks to Go forum?  There are several things you should do before running HiJackThis.
0
 
mputnam31Author Commented:
At the bottom it states the following analysis has been stored temporaily.  That is it.
0
 
r-kCommented:
Right above that there should be links that read "Save Analysis/Short Analysis" (may be in a hard to read color). Click on the Save Analysis and you'll get a new page. The address will be something like:

 http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html

That is the address we need.

Thanks.
0
 
r-kCommented:
Hmm.. your HJT log seems clean.

Any luck examining the "hosts" file?

BTW, is this a server running Exchange?
0
 
mputnam31Author Commented:
Yes, I am running exchange and the local host file has "127.0.0.1       localhost"... no other entries.

The redirection is on all 165 machines and the server.  Server 2003 Enterprise. Clients running XP Pro.  Appreciate the help.
0
 
pyroman1Commented:
Check your DNS entry for yahoo.com, do this on the DNS server.  I get 68.142.197.82, of course I'm sure they have a cluster of servers handling requests, this may at least help you get a step in the right direction.

Also try ping -a www.yahoo.com and see what you get.  With this large a number of machines affected it is unlikely that this is a spyware/malware issue, unless it is affecting your server.  Did you ever go through the Geeks to Go forum, just to be on the safe side?
0
 
pyroman1Commented:
Just another quick note, I flushed my DNS cache and the second time around got an IP address of 68.142.197.67, so it would seem that if you get the first three octets right you should have a correct DNS resolution.
0
 
r-kCommented:
Yes, the fact that it's happening on all your machines points to a DNS problem.
As pyroman1 suggested, try nslookup for www.yahoo.com

> nslookup
www.yahoo.com

For comparison, I get:

addresses: 68.142.197.89, 68.142.197.66, 68.142.197.74, 68.142.197.75
.142.197.80, 68.142.197.81, 68.142.197.83, 68.142.197.88
0
 
mputnam31Author Commented:
I get 67.59.168.37... How do I fix this in DNS?
0
 
pyroman1Commented:
Make sure everything in your forward lookup zone is accurate.  Also check to see if your DNS forwarding servers are correct.  You may need to contact your ISP if you don't have this information available.
0
 
r-kCommented:
Your DNS server seems to be compromised in some way. Are you running your own DNS server, or are you using the ISP's ?

If it's your own server then try rebooting it as a start.
0
 
mputnam31Author Commented:
I am running my own DNS server and I already rebooted.  I don't really understand DNS so well.  I know it translates IP address stuff.  

So my question is what am I forwarding to my ISP?  Am I finding out what their DNS server names are and creating an alias or something, because I am sure that I haven't done that.

My ISP is called Arrival communications in Modesto, CA.
0
 
pyroman1Commented:
Open the DNS service:
Start->Administrative Tools->DNS

Right click on your server name and clear the cache to start with.
Then click on the + next to your server name, then click on the plus next to forward lookup zone.  Next click on your domain name.
Look through all the entries there.  If something doesn't look like it belongs, delete it.  If it should be there it will rebuild.  Don't bother deleting anything that is pointing to an internal IP address.
0
 
pyroman1Commented:
Oh, and as for the forwarders.  Right click on your server name and choose Properties.  Click on the Forwarders tab and check the IP address of your ISP's DNS servers.  You will have to contact them to see what you should be using.
0
 
mputnam31Author Commented:
Should I have an entry for www as a lookup zone?
0
 
pyroman1Commented:
Yes, this will likely point to your company's web page.  Do a ping -a I.P.Addr.ess to see what the host name is for that IP address.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 8
  • 7
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now