Mario G.
asked on
Internal url being redirected to an external site
I have an internal web service for our I.T. tech support. Today I had couple of users who said when they click on the internal link and they get redirected to a site getwidgetserver.com and it doesn't let them go back to the internal service.
I have scanned this PCs multiple times with our AVG antivirus, we have also downloaded Malware bytes and not luck. Have any of you had this issue ? do you have any ideas how I can remove this redirect form these client computers?
Here is a full url for the redirect - www6.widgetserver.com
Thanks,
I have scanned this PCs multiple times with our AVG antivirus, we have also downloaded Malware bytes and not luck. Have any of you had this issue ? do you have any ideas how I can remove this redirect form these client computers?
Here is a full url for the redirect - www6.widgetserver.com
Thanks,
Check the DNS settings for the affected computers to see if they have been altered.
Also check the contents of c:\windows\System32\driver s\etc\host s
ASKER
We have static IP for DNS settings on these machines.
I also looked at the host file and it looks normal.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
I also looked at the host file and it looks normal.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
So what happens if you ping the internal url?
Also do
Also do
nslookup internalurl
nslookup www6.widgetserver.com
Same responses?
It may be that the redirect is being initiated from within the browser of the affected machines. Does the problem occur if a different browser is used? Try clearing the browser cache, and if necessary deleting all cookies.
You can also flush the local DNS cache by running the following command at the prompt:
ipconfig /flushdns
You can also flush the local DNS cache by running the following command at the prompt:
ipconfig /flushdns
ASKER
this happens on every browser as soon as I click on the url we need to open
ASKER
C:\Users\nslookup internalurl
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.10.10.3
*** UnKnown can't find internalurl: Non-existent domain
C:\Users\nslookup www6.widgetserver.com
Server: UnKnown
Address: 10.10.10.3
Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: www10.smartname.com
Address: 184.168.221.104
Aliases: www6.widgetserver.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.10.10.3
*** UnKnown can't find internalurl: Non-existent domain
C:\Users\nslookup www6.widgetserver.com
Server: UnKnown
Address: 10.10.10.3
Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: www10.smartname.com
Address: 184.168.221.104
Aliases: www6.widgetserver.com
Is 10.10.10.3 the expected dns server?
So the internal url cannot be resolved by 10.10.10.3. That needs to be changed, check the DNS entries for that url.
So the internal url cannot be resolved by 10.10.10.3. That needs to be changed, check the DNS entries for that url.
ASKER
Correct, the DNS 10.3 is expected.
Check DNS entries for what url?
Thanks,
Check DNS entries for what url?
Thanks,
As written, for the internal url. The dns entry for that web server.
does it h appen only when you click on a link or also if you manually type the ip in your browser?, does your site use any thirdparty widgets that may be redirecting you to their developers page?
ASKER
it happens as soon as I open this internal web service \\10.10.10.7:8292/portal
I have scanned with malwarebytes and looks like it finds something, but it get enabled again as soon as the PC restarts.
I have scanned with malwarebytes and looks like it finds something, but it get enabled again as soon as the PC restarts.
1st you said, it didn't find anything, now it "looks" like it finds something? :-)
Please share what it found.
Please share what it found.
ASKER
ASKER
This is what adwarecleaner found:
***** [ Services ] *****
No malicious services found.
***** [ Folders ] *****
PUP.Optional.Legacy C:\Windows\SysWOW64\config \systempro file\AppDa ta\Local\Y SearchUtil
PUP.Optional.Legacy C:\Users\Administrator\App Data\Local \YSearchUt il
PUP.Optional.Legacy C:\Users\mario\AppData\Loc al\YSearch Util
***** [ Files ] *****
No malicious files found.
***** [ DLL ] *****
No malicious DLLs found.
***** [ WMI ] *****
No malicious WMI found.
***** [ Shortcuts ] *****
No malicious shortcuts found.
***** [ Tasks ] *****
No malicious tasks found.
***** [ Registry ] *****
PUP.Optional.Legacy HKU\S-1-5-21-2785454248-24 49778033-2 676715903- 1171\Softw are\Micros oft\Intern et Explorer\LowRegistry\DOMSt orage\ask. com
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries found.
***** [ Chromium URLs ] *****
No malicious Chromium URLs found.
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries found.
***** [ Firefox URLs ] *****
No malicious Firefox URLs found.
***** [ Services ] *****
No malicious services found.
***** [ Folders ] *****
PUP.Optional.Legacy C:\Windows\SysWOW64\config
PUP.Optional.Legacy C:\Users\Administrator\App
PUP.Optional.Legacy C:\Users\mario\AppData\Loc
***** [ Files ] *****
No malicious files found.
***** [ DLL ] *****
No malicious DLLs found.
***** [ WMI ] *****
No malicious WMI found.
***** [ Shortcuts ] *****
No malicious shortcuts found.
***** [ Tasks ] *****
No malicious tasks found.
***** [ Registry ] *****
PUP.Optional.Legacy HKU\S-1-5-21-2785454248-24
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries found.
***** [ Chromium URLs ] *****
No malicious Chromium URLs found.
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries found.
***** [ Firefox URLs ] *****
No malicious Firefox URLs found.
ASKER
Every time I reboot my machine this keeps getting re-enabled, the adwareremovel tool say it was removed, but it finds it again
ASKER
I am using spiceworks help desk in my internal network. The admin portal works ok, but as soon they click on the user portal the redirect happens.
Did you look at the description of the PUP? malwarebytes will have described what it does. Its name is YSearchUtil, I guess.
ASKER
I just found that when I go to another PC that was not used before to access this web service, as soon as I click the link I get the same url redirect. I am guessing there is an infection in the server side for this url?
Have any of you used spiceworks help desk?
Thanks,
Have any of you used spiceworks help desk?
Thanks,
ASKER
Read the description, see how that malware works, verify the presence of symptoms, then decide what to do.
Check the proxy server settings and see if they have been modified without your knowledge.
ASKER
I have looked at the proxy settings and nothing is there, in the local or the hosting server
I am attaching a screen short of this redirect
sshot.pdf
I am attaching a screen short of this redirect
sshot.pdf
ASKER
I found a thread on the internet about this issue with others using their blog sites- https://productforums.google.com/forum/#!topic/blogger/-zYY3ZJQhaw
However for us the same issue is happening internally
However for us the same issue is happening internally
Well, that's interesting. The redirect is to a non-existent domain which is available for you to purchase, should you wish to do so!
However, the name itself suggests that it is an example name from a tutorial, like the venerable foo.com and contoso.com, which are (or were) ubiquitous in innumerable guides and how-to articles as placeholders for real domain names.
Has anyone in your organisation been using such material, and somehow introduced this spurious name into the works?
However, the name itself suggests that it is an example name from a tutorial, like the venerable foo.com and contoso.com, which are (or were) ubiquitous in innumerable guides and how-to articles as placeholders for real domain names.
Has anyone in your organisation been using such material, and somehow introduced this spurious name into the works?
ASKER
We found that there was a java script embedded in a calendar object and every time the end user will click on the portal the redirect happened. Once we removed this java scrip from the code then all is back working as normal.
Thank you all for you help while troubleshooting this.
Thank you all for you help while troubleshooting this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.