Link to home
Start Free TrialLog in
Avatar of Mario G.
Mario G.Flag for United States of America

asked on

Internal url being redirected to an external site

I have an internal web service for our I.T. tech support. Today I had couple of users who said when they click on the internal link and they get redirected to a site getwidgetserver.com and it doesn't let them go back to the internal service.

I have scanned this PCs multiple times with our AVG antivirus, we have also downloaded Malware bytes and not luck. Have any of you had this issue ? do you have any ideas how I can remove this redirect form these client computers?

Here is a full url for the redirect - www6.widgetserver.com

Thanks,
Avatar of Perarduaadastra
Perarduaadastra
Flag of United Kingdom of Great Britain and Northern Ireland image

Check the DNS settings for the affected computers to see if they have been altered.
Avatar of McKnife
Also check the contents of c:\windows\System32\drivers\etc\hosts
Avatar of Mario G.

ASKER

We have static IP for DNS settings on these machines.

I also looked at the host file and it looks normal.

# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost
So what happens if you ping the internal url?
Also do
nslookup internalurl
nslookup www6.widgetserver.com

Open in new window

Same responses?
It may be that the redirect is being initiated from within the browser of the affected machines. Does the problem occur if a different browser is used? Try clearing the browser cache, and if necessary deleting all cookies.

You can also flush the local DNS cache by running the following command at the prompt:

ipconfig /flushdns
this happens on every browser as soon as I click on the url we need to open
C:\Users\nslookup internalurl
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.10.10.3

*** UnKnown can't find internalurl: Non-existent domain

C:\Users\nslookup www6.widgetserver.com
Server:  UnKnown
Address:  10.10.10.3

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    www10.smartname.com
Address:  184.168.221.104
Aliases:  www6.widgetserver.com
Is 10.10.10.3 the expected dns server?
So the internal url cannot be resolved by 10.10.10.3. That needs to be changed, check the DNS entries for that url.
Correct, the DNS 10.3 is expected.

Check DNS entries for what url?

Thanks,
As written, for the internal url. The dns entry for that web server.
Avatar of Arana (G.P.)
Arana (G.P.)

does it h appen only when you click on a link or also if you manually type the ip in your browser?, does your site use any thirdparty widgets that may be redirecting you to their developers page?
it happens as soon as I open this internal web service \\10.10.10.7:8292/portal

I have scanned with malwarebytes and looks like it finds something, but it get enabled again as soon as the PC restarts.
1st you said, it didn't find anything, now it "looks" like it finds something? :-)
Please share what it found.
This is what adwarecleaner found:

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy             C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil
PUP.Optional.Legacy             C:\Users\Administrator\AppData\Local\YSearchUtil
PUP.Optional.Legacy             C:\Users\mario\AppData\Local\YSearchUtil

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy             HKU\S-1-5-21-2785454248-2449778033-2676715903-1171\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.
Every time I reboot my machine this keeps getting re-enabled, the adwareremovel tool say it was removed, but it finds it again
I am using spiceworks help desk in my internal network. The admin portal works ok, but as soon they click on the user portal the redirect happens.
Did you look at the description of the PUP? malwarebytes will have described what it does. Its name is YSearchUtil, I guess.
I just found that when I go to another PC that was not used before to access this web service, as soon as I click the link I get the same url redirect. I am guessing there is an infection in the server side for this url?

Have any of you used spiceworks help desk?

Thanks,
Read the description, see how that malware works, verify the presence of symptoms, then decide what to do.
Check the proxy server settings and see if they have been modified without your knowledge.
I have looked at the proxy settings and nothing is there, in the local or the hosting server

I am attaching a screen short of this redirect
sshot.pdf
I found a thread on the internet about this issue with others using their blog sites- https://productforums.google.com/forum/#!topic/blogger/-zYY3ZJQhaw

However for us the same issue is happening internally
Well, that's interesting. The redirect is to a non-existent domain which is available for you to purchase, should you wish to do so!

However, the name itself suggests that it is an example name from a tutorial, like the venerable foo.com and contoso.com, which are (or were) ubiquitous in innumerable guides and how-to articles as placeholders for real domain names.

Has anyone in your organisation been using such material, and somehow introduced this spurious name into the works?
We found that there was a java script embedded in a calendar object and every time the end user will click on the portal the redirect happened. Once we removed this java scrip from the code then all is back working as normal.

Thank you all for you help while troubleshooting this.
ASKER CERTIFIED SOLUTION
Avatar of Mario G.
Mario G.
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial