How is the Help-Yield.net search site redirecting all Windows Browsers?

I stumbled across an issue the other day, but can't figure out how it got there.   If you type an incorrect name in the address bar of Firefox, IE7, etc, instead of timing out, it sends you to a search site called wwwm.help-yield.net.  However, It only does this if the url is properly formatted.  For instance, www.askdjlkajsdjf.com will send you to this site, but ww.klksdas;d.ed  will not.  I've searched the reg and every file on my system and can find no reference.  For now, I just blocked it out... but I'd REALLY like to know what put it there in the first place.

Thanks in advance!

-Hawk
Hawk5471Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Marc ZConnect With a Mentor Commented:
Let's try something different.

We're going to change your dns server.


See the instructions here to change your DNS server to OpenDNS and test out your browsers.
https://www.opendns.com/start

I overlooked your initial post about help-yield.net isn't www. , but wwwm.

That indicates to me that somewhere, most likely on your system, you do have a malware problem.

Unless richler and you can verify having the same DNS servers or ISP's, that would indicate similar malware on your machines, to me.

You mentioned Mcafee and HijackThis and now your mvps Hosts file has stopped it, which is good, but I would be curious, if this were my machine and test with more AntiSpyware programs.  Like Superantispyware http://www.superantispyware.com/

MS Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx Free
Lavasoft Adaware  http://www.lavasoftusa.com/software/adaware/ Free
Spybot Search & Destroy  http://www.safer-networking.org/en/download/ Free
Spysweeper http://www.webroot.com/ Not Free but 14 day trial
Spyware Guard http://www.javacoolsoftware.com/spywareguard.html Freeware/shareware
Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.html Free/shareware

My AV of choice is Avast at www.avast.com both a free version and a professional.
And of course, grab both an Antispyware and an AntiVirus programs, by www.free.grisoft.com called AVG. (2 different programs)
0
 
Marc ZCommented:
Perhaps it is part of your DNS servers response to bad requests.

help-yield.net is Registered through GoDaddy by DomainsByProxy, Inc found here.
http://www.domainsbyproxy.com/LegalAgreement.aspx 

Have you scanned your system for malware?

If you truly wanted to, you could add help-yield.net to your Hosts file.
http://www.mvps.org/winhelp2002/hosts.htm

0
 
war1Commented:
Hello Hawk5471,

Some sites can highjack your location bar search.  Here is how to restore the search to Google.
http://blog.taragana.com/index.php/archive/how-to-change-your-firefox-location-bar-search-engine/

Hope this helps!
war1
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
richlerCommented:
I have the same problem.  Blocking the redirection to wwwm.help-yield.net just makes my navigation end with an Unable to connect because the URL goes back to loopback.  I can nslookup the IP address of the URL and sucessfully use the IP address to get to the site, but that's quite an annoyance.  Not sure what I've picked up.  I've searched for malware and run hijack this (admittedly didn't really know what I was looking at) and don't seem to see anything wrong.  It only happens when I'm using my VPN, which is odd and only on my network at home.  Any other ideas out there?  My DNS (through my VPN) is always able to resolve the addresses.  It doesn't happen when my router is the DNS.  I'm not a windows guy nor much of a networking guy.  How can I trace what's happening in the browser when I type a URL and hit enter?
Thanks...Bill
0
 
Marc ZCommented:
One more thing I forgot, have you opened Internet Options and gone to Advanced and gone down to Search From the Address Bar and select the "Do not search from the Address Bar."

See if that helps.
0
 
Hawk5471Author Commented:
Maybe I should add a little more information here.  I had already went through pretty much all of the things listed above before I posted the question.  I also tracked them back to Godaddy, checked for malware, and all that.  I'm showing no malware... and I've ran everything from McAfee, to Hijackthis, and all the other normal scanners.  Nothing!   I ALWAYS turn off "search from address bar" in all my browsers.
The only thing I could figure was either they have a deal with my ISP or they hijacked their DNS servers somehow.

Originally, I just blocked that site into my host files, but then it started redirecting to another site of theirs.  Then I set up domain and a few other rules in my firewall and added a full host file from http://www.mvps.org/winhelp2002/hosts.htm and that seems to have stop it.

I guess the real question is... If they don't have a deal with the ISP, then how are the hijacking the browser search (or DNS)?  Considering Richler stated he has the same problem. I don't think it's a local provider issue here.

Thanks for all help so far, I really appreciate it!

     -Hawk




0
 
Marc ZCommented:
By the way, you will have to rename your Hosts file IF you desire to test it out with a new DNS seeing as how that is already fixing your error.
0
 
richlerConnect With a Mentor Commented:
First, I seemed to determine early that this isn't browser related as I've seen the same problem with IE6, FF 0.6 and 2.11) and Opera.  Over the weekend,  I ran through a battery of spyware/virus tests and have been unable to detect anything wrong.  I have found that when using my VPN's DNS list, there is occasionally an initial timeout in attempting to resolve addresses, followed by a success (using nslookup).  This <seems> to coincide with the redirection to wwm.help-yield.net in my browser.  Once successful in the browser though, it appears to be using cache, as the redirection doesn't occur again.  When I'm not using my VPN's DNS, the resolution is coming from my router which is on the same subnet and thus no delay in resolving, thus never a redirection.  So, as I'm not a broser hack/guru, I don't know what goes on inside but it appears that if there's any delay in resolving the address, they immediately redirects..  The final bit of interest for now is that when not on my home network, I don't see the problem.  This is odd given that the VPN address is still not native.  I'm assuming that this is related to my rather poor performing ISP, regardless of the fact that I pay for their fastest internet service.

So if anyone can tell me how to tell the browsers to be a bit more patient, that would be a good next step.

Many thanks to all who've tried to help.  The list of anti-spyware that was provided will be retained and passed along to family members who think that because I work with AIX, I must be a Wintel guru ;-)
0
 
Hawk5471Author Commented:
I'm going to try a few other in-depth tests to see if I can find anything else.
0
 
war1Commented:
Hawk5471, keep us updated on the tests.
0
 
Hawk5471Author Commented:
OK... I finally got in touch with someone at my ISP that knew the scoop.  This is a 3rd party search engine that my ISP is testing!  Apparently, this company and several other search engines are contacting ISP's and working out deals to include them in their DNS.  Nice, eh?

Even the first tech support guy I talked to wasn't aware they were doing this.  He spent quite a bit of time trying to figure out why it was happing on his end too!  Finally, someone informed him.

Richler and Mtz both indicated it was a DNS problem, so I feel the points should go to you both for your help.
0
 
Marc ZCommented:
Thanks for the update Hawk5471.

As I noted before, if you don't like it, you can always use a different DNS like OpenDNS, but they have their own set of similar search results if you so desire.  This is the way they keep their services free.  But at the same time, your ISP is now making money, it seems, (I may be mistaken)  by doing this as well.
0
 
richlerCommented:
Hawk, nice job.  I assume my ISP is doing the same.  That certainly explains why I didn't see it while on the road, only at home.  Kudos.  And thanks for the assistance points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.