mputnam31
asked on
Spyware redirec url
Experts, we have a problem, when I go to www.yahoo.com another web page comes up, any ideas of what I can do? I tried cwshredder but did not work, any ideas?
Hi
It is also worth ensuring you have up-to date AV and anti-spyware software installed and running on your machine.
Be aware that there are sometime legitimate entries in the hosts file other than for local host - so if you have other entries they could be there for a reason - e.g. some legacy apps use the host file. This isn't very common, but worth being aware of.
cheers
Kevin
It is also worth ensuring you have up-to date AV and anti-spyware software installed and running on your machine.
Be aware that there are sometime legitimate entries in the hosts file other than for local host - so if you have other entries they could be there for a reason - e.g. some legacy apps use the host file. This isn't very common, but worth being aware of.
cheers
Kevin
Perform the steps here, http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html, and it will fix 99% of spyware/malware problems.
ASKER
I think that is the wrong link. You have to click on "Save Analysis" at the bottom of that page, then post a link to that final saved page.
Did you perform all of the steps on the Geeks to Go forum? There are several things you should do before running HiJackThis.
ASKER
At the bottom it states the following analysis has been stored temporaily. That is it.
Right above that there should be links that read "Save Analysis/Short Analysis" (may be in a hard to read color). Click on the Save Analysis and you'll get a new page. The address will be something like:
http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html
That is the address we need.
Thanks.
http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html
That is the address we need.
Thanks.
Hmm.. your HJT log seems clean.
Any luck examining the "hosts" file?
BTW, is this a server running Exchange?
Any luck examining the "hosts" file?
BTW, is this a server running Exchange?
ASKER
Yes, I am running exchange and the local host file has "127.0.0.1 localhost"... no other entries.
The redirection is on all 165 machines and the server. Server 2003 Enterprise. Clients running XP Pro. Appreciate the help.
The redirection is on all 165 machines and the server. Server 2003 Enterprise. Clients running XP Pro. Appreciate the help.
Check your DNS entry for yahoo.com, do this on the DNS server. I get 68.142.197.82, of course I'm sure they have a cluster of servers handling requests, this may at least help you get a step in the right direction.
Also try ping -a www.yahoo.com and see what you get. With this large a number of machines affected it is unlikely that this is a spyware/malware issue, unless it is affecting your server. Did you ever go through the Geeks to Go forum, just to be on the safe side?
Also try ping -a www.yahoo.com and see what you get. With this large a number of machines affected it is unlikely that this is a spyware/malware issue, unless it is affecting your server. Did you ever go through the Geeks to Go forum, just to be on the safe side?
Just another quick note, I flushed my DNS cache and the second time around got an IP address of 68.142.197.67, so it would seem that if you get the first three octets right you should have a correct DNS resolution.
Yes, the fact that it's happening on all your machines points to a DNS problem.
As pyroman1 suggested, try nslookup for www.yahoo.com
> nslookup
> www.yahoo.com
For comparison, I get:
addresses: 68.142.197.89, 68.142.197.66, 68.142.197.74, 68.142.197.75
.142.197.80, 68.142.197.81, 68.142.197.83, 68.142.197.88
As pyroman1 suggested, try nslookup for www.yahoo.com
> nslookup
> www.yahoo.com
For comparison, I get:
addresses: 68.142.197.89, 68.142.197.66, 68.142.197.74, 68.142.197.75
.142.197.80, 68.142.197.81, 68.142.197.83, 68.142.197.88
ASKER
I get 67.59.168.37... How do I fix this in DNS?
Make sure everything in your forward lookup zone is accurate. Also check to see if your DNS forwarding servers are correct. You may need to contact your ISP if you don't have this information available.
Your DNS server seems to be compromised in some way. Are you running your own DNS server, or are you using the ISP's ?
If it's your own server then try rebooting it as a start.
If it's your own server then try rebooting it as a start.
ASKER
I am running my own DNS server and I already rebooted. I don't really understand DNS so well. I know it translates IP address stuff.
So my question is what am I forwarding to my ISP? Am I finding out what their DNS server names are and creating an alias or something, because I am sure that I haven't done that.
My ISP is called Arrival communications in Modesto, CA.
So my question is what am I forwarding to my ISP? Am I finding out what their DNS server names are and creating an alias or something, because I am sure that I haven't done that.
My ISP is called Arrival communications in Modesto, CA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, and as for the forwarders. Right click on your server name and choose Properties. Click on the Forwarders tab and check the IP address of your ISP's DNS servers. You will have to contact them to see what you should be using.
ASKER
Should I have an entry for www as a lookup zone?
Yes, this will likely point to your company's web page. Do a ping -a I.P.Addr.ess to see what the host name is for that IP address.
Open this file with Notepad, and if it has any entries other than
"127.0.0.1 localhost"
then first make a copy of the file under a new name, then edit "hosts" and delete evrything but that one line.
Then reboot and see if that fixed it.
If not, or if the file was already OK, then do the folowing:
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.