Helping people with computers... one answer at a time.
Unexpected browser redirection is often the result of malware - usually malware on your machine, but occasionally a problem with the site.
•
In a word: malware.
This is a fairly classic case of a browser hijacking.
There are many variations on the theme, but the idea is very simple: you try to go somewhere and you land ... somewhere else.
•
DNS hijacking
What you've experienced seems like a pretty direct hijack. If the address bar remains unchanged – i.e. it still says "google.com" – and yet you know that you're not seeing google.com at all, then malware has perhaps modified your system's "hosts" file, your DNS settings, or potentially the DNS settings in your router.
Both of those approaches modify the way your system locates servers on the internet. Looking up "google.com" in DNS should normally return the IP address of one of Google's servers. In the case of a DNS hijack, a different IP address is returned – the IP address of a malicious server. In some cases, the malicious server can be set up to look like the site that you think you're accessing in order to fool you into divulging personal information, like login credentials or worse.
The DNS changer malware that we've all heard so much about recently did exactly this.
Browser hijacking
Some malware, rather than playing with your DNS, takes a more direct route and infects your browser or a component of the browser directly.
Apparently. the recent "Flashback" malware that infected so many Macs worked this way, leveraging a vulnerability in the Java browser component used by many websites and web-based services. It's my understanding that once infected, simple page loads weren't impacted, but clicking on certain search results would take you not to the result you clicked on, but rather to something else, as set up by the malware authors.
Analyzing and modifying search results is just one example. Once infected, malware can do many different things in your browser.
Site hijacking
To be complete, we also need to mention that occasionally it's not your problem at all, but a problem at the site that you're attempting to visit. This is almost never the case with high profile sites like Google or Yahoo!, but occasionally smaller sites do get hacked.
Most often when a site gets hacked, it's simply defaced in some way.
It's possible, however, that once hacked, a site could fairly easily be modified to automatically send any visitors that it does get to some other website – presumably a malicious one.
Fixing the problem
Except for the later case, where the problem is actually not on your machine, fixing it should be fairly easy.
Run an up-to-date anti-malware scan.
If you're unsure of what to run (and you should be running something, always), What Security Software do you recommend? has my current recommendations.
For a problem like this one, I'd install and run Microsoft Security Essentials, keeping that as your ongoing anti-virus and anti-spyware solution and then also run a scan by the free Malwarebytes Anti-malware tool, which seems to pick up a number of nasties that other tools do not.
(This is an update to an article originally published November 3, 2005.)
Article C2452 - May 12, 2012 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
May 16, 2012 8:50 AM
To Mark J
Changing the DNS setting in your IP config - possible. Changing DNS on your router - EXTREMELY unlikely assuming you've set up an admin password.
15-May-2012
May 17, 2012 6:26 PM
I did an expanded version of my accounts and here it is
Something to try to help you recover from virus when all else fails.
Nearly all virus files operate in 2 ways. They either compose a new file which is itself the virus; or they substitute an existing file for a 'dummy' file which is the virus with the same name.
Most anti-virus programs quarantine or erase the file identified by option choice; but non give you the option
of replacing the identified file with the real one, then locking that file in the permissions area [ forbid erase by your log in name ]. Especially problematic if the infected file is an essential boot file.
If your anti-virus program alerts you to a virus in a file while it is running by command [ initiate scan by you ],
pause the scan and replace the identified file with your backup file; now manually 'lock' the file by OS permissions as above then continue the scan. Do the same for each file encountered with a virus. This gives you time to find the initial command file that is doing the damage because it cannot initiate if the OS denies erase.
Now that we have locked files that attempt to be erased and substituted, we can look for the file or files that have been composed to initiate the actions. Time stamps tell you a lot and looking for files that suddenly appear is relatively easy. Most virus files are initiated from one of two places [ to cover all editions of windows ].
The first is in the 'documents and settings' folder usually under your logged in profile. By searching files by time stamp [ *.* ] you can pinpoint the exact file that was composed at the time you got the virus OR the nearest time to the present if you left scanning till later. If you find, say, 2 files composed at the nearest time to the present; erase them after noting their names. If they are EXE, COM, DLL, SYS, BAT files, you don’t need to do the substitution method [ not yet anyway ] just note and erase..
Now go to the windows\system32 directory and search again by time stamp. Remember, the created virus files will have the same time stamp [ or damn near close ]. Again, note the file names, erase the files - now go to your MIRROR BACK UP FILES on another physical drive [ you do have these, don't you ? ] and search for these names to see if they exist. If they do, copy the good files to where they should be and LOCK THEM by OS permissions [ forbid erase again ].
If the file you erased is NOT a valid file, we need to temporarily fool the virus composer into thinking that it exists already to do it's dirty work. This gives us time to root out any master file we might have missed that was placed somewhere we are not looking.
Make a notebook TXT file with the same name as the file that shouldn't be were you found it [ EG. xyz.sys ] Fill the text file with the word 'null' about a page worth will do. Save the file as xyz.sys and lock this by OS permissions as well [ just to be safe, in case the virus composer checks the byte value ].
What have we got ?. Well, we replaced all the suspect files with our back ups and LOCKED them by permissions. We put in dummy files that shouldn't be there and LOCKED them by permissions.
CONTINUE THE SCAN. Chances are, you won't see any more alerts but if you do; back to square one.
OK, now we have scanned to the end; do ANOTHER complete scan to be sure, to be sure. All clear ?
NOW we have a one list of file names that SHOULD NOT be present. Open the registry with 'regedit' in the run command window. Search for instances of each of these bogus files and erase them from the registry if found [ do not erase keys - just the file names themselves ]. The replaced and locked valid files [ valid ones from our mirror back up ] should be left alone as these are real files, not bogus ones.
now reboot your PC in normal mode. Do another scan. All clear ?,
Now, do your peeking at time stamps in the 2 areas I've mentioned and you should see no files created anywhere near the present date. We do the final peek to be sure that there is no file that even attempts to install a virus even if it's efforts are blocked by locked files. Hopefully, you should be all clear. If, for some reason, the PC will not boot to normal windows [ because you accidentally erased an essential file ]; boot to safe mode and copy [ lock ] the files again. There are only very few essential files that windows needs to boot to safe mode so really, this scenario would be rare indeed; I've never encountered it myself and I've used this method 3 times already in the last few years.
I use this method in 2 instances.
1. Immediately after realising I got a virus by running a program
2. When all efforts to get rid of a virus fail after being identified by my scanners [ the file recomposes itself ]
So far, I’ve managed to avoid doing a complete reload of OS with this last ditch effort.
The key to this method is having a scanner that identifies the infected file [ not necessary the 'master' file that composes the virus, just a file that got infected – and [ most important ] a complete backup of the boot drive, on another drive you can source your OS files from. For this, I use Karen's replicator [ free program ] and re-replicate the complete drive before I attempt to install anything. Hope this method is of some use to you people tearing your hair out.
June 20, 2012 7:44 AM
A user clicks a link in a web browser and it redirects to some other site or pulls up ads. What could be the reason and what can be done?
The reasons could be malware, options unintentionally selected somehow during surfing, the browser itself because of default options or the websites with legal redirects. I’ve seen browsers by some companies redirecting to their own inferior search engines from the selected one. Unfortunately, remedies tried may cause even worse problems. Registry repairs may force re-install of the OS with all the options and updates, upgrades, drivers, registrations gone. Another reason for good back-ups! And many programs, especially AIO types may cause more harm than good with so many options and potential to wreak havoc. That’s why I prefer to maintain and clean my PC’s myself manually.
If a good combination of AV and FW software is running all the time, with proper settings, I wouldn’t consider malware a great threat compared to what some regular software and OS/security updates do. Last time I had a malware infection was in 1997. However, I get requests from friends for this problem and manual remedies have almost always been good enough.
Some of the items to be checked manually are:
Running processes and system parameters.
Internet and browser options; including browsing and security settings, selected DNS servers, search assistants, geolocation and other junk, website redirect permits, new pages, etc.
Registry Modifications by malware or permitted software, registry areas to be investigated are actually not that much, just some familiarity is needed.
DNS Servers, sometimes infected by malware themselves, although rare. Actually DNS server selection should not be left to ISP/browser and DNS servers paid by some big names should be avoided against having redirection and ad problems.
Note that none of the anti-malware products would indicate most of these items, except some optimization software and even a re-install of the OS may not work.
November 28, 2012 12:22 AM
when i give any url (website address), then the browser itself return to google page.
i installed another browser i.e opera, then problem has solved, but why i facing in Mozilla and Internet explorer?
plz sir help me
thanks
April 16, 2013 10:10 PM
I have a similar problem. whenever I log in to Facebook and Hotmail, I always end up in yahoo search altavista which is terribly terribly annoying. I have to refresh many many times before facebook or Outlook appears but then sometimes reverts back to altavista search... I don't know what triggers it to go back;
What can I do to stop this from happening?