Helping people with computers... one answer at a time.
Unexpected browser redirection is often the result of malware - usually malware on your machine, but occasionally a problem with the site.
•
In a word: malware.
This is a fairly classic case of a browser hijacking.
There are many variations on the theme, but the idea is very simple: you try to go somewhere and you land ... somewhere else.
•
DNS hijacking
What you've experienced seems like a pretty direct hijack. If the address bar remains unchanged – i.e. it still says "google.com" – and yet you know that you're not seeing google.com at all, then malware has perhaps modified your system's "hosts" file, your DNS settings, or potentially the DNS settings in your router.
Both of those approaches modify the way your system locates servers on the internet. Looking up "google.com" in DNS should normally return the IP address of one of Google's servers. In the case of a DNS hijack, a different IP address is returned – the IP address of a malicious server. In some cases, the malicious server can be set up to look like the site that you think you're accessing in order to fool you into divulging personal information, like login credentials or worse.
The DNS changer malware that we've all heard so much about recently did exactly this.
Browser hijacking
Some malware, rather than playing with your DNS, takes a more direct route and infects your browser or a component of the browser directly.
Apparently. the recent "Flashback" malware that infected so many Macs worked this way, leveraging a vulnerability in the Java browser component used by many websites and web-based services. It's my understanding that once infected, simple page loads weren't impacted, but clicking on certain search results would take you not to the result you clicked on, but rather to something else, as set up by the malware authors.
Analyzing and modifying search results is just one example. Once infected, malware can do many different things in your browser.
Site hijacking
To be complete, we also need to mention that occasionally it's not your problem at all, but a problem at the site that you're attempting to visit. This is almost never the case with high profile sites like Google or Yahoo!, but occasionally smaller sites do get hacked.
Most often when a site gets hacked, it's simply defaced in some way.
It's possible, however, that once hacked, a site could fairly easily be modified to automatically send any visitors that it does get to some other website – presumably a malicious one.
Fixing the problem
Except for the later case, where the problem is actually not on your machine, fixing it should be fairly easy.
Run an up-to-date anti-malware scan.
If you're unsure of what to run (and you should be running something, always), What Security Software do you recommend? has my current recommendations.
For a problem like this one, I'd install and run Microsoft Security Essentials, keeping that as your ongoing anti-virus and anti-spyware solution and then also run a scan by the free Malwarebytes Anti-malware tool, which seems to pick up a number of nasties that other tools do not.
(This is an update to an article originally published November 3, 2005.)
Article C2452 - May 12, 2012
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
@Johnxi
Posted by: Mark J at May 15, 2012 2:26 PMIf you have malware on your system, there is little it cannot do. Unless you remove the malware it can change the DNS setting to whatever it wants. Since your router can be accessed through your computer, it is possible that malware can make changes to your router's settings.
I knew I had a virus when the file I clicked on [ reported clean by antivirus ] disappeared on execution.
Posted by: john neeting at May 15, 2012 11:10 PMWatch for this latest one. here's the story AND the fix
Like a fool not following his own advice, I downloaded an exe file
believing it to be what i expected. All prior checks on the file with 4 anti-virus programs gave it the all clear; but I knew it was dodgy the miniute the whole file disappeared after attempting to run. Aaaaaaaaagh!
I ceased all activity and run AV again which pin-pointed one file in the system32 folder as a virus. MRXSMB.SYS. Knowing how big the original EXE file was, I was sure that other hidden damage had been done. Rebooting immediatly in safe mode, I scaned again and this file 'recreated' itself; identified as 'win32:SireFeF-WZ
steps to eliminate it.
1. scan registry and delete all instances of MRXSMB.SYS
2.open explorer, navigate to win32 and order files by date.
3. find any file created the moment I ran the virus file [date] usually last on the list.
4. delete these files but NOTE their names. Now open the registry and search for each file name you deleted and delete them from the registry [ carefull-delete only the file names NOT the keys]
5. run virus scanners again
6. open explorer, navigate to documents and settings, your user folder [ joe ]. search for *.exe. order by modified or date created. look for files created ATT [ usually bottom of list ]
Note their names,delete files. Now search for *.sys and go through the same process. Now open registry again and search for each noted file name, delete the file names from registry entry.
7. Get your good copy of MRXSMB.sys and put it in sys32 folder. Open permissions and 'deny delete'
[ the virus file contained the word 'dummy' in it when opened with notepad - dead give-away as no such word exists in the real file]
Now reboot normal - go to mrxsmb.sys and check the word 'dummy' does not exist in it
That's it. On the net, the experts say its such a stealth pest that only re-installing your OS will get rid of it but I did the above and got rid of it.
I have a slightly different variation than on here, but will try some of the suggestions when I get home.
Posted by: singe at May 16, 2012 1:16 AMOn my PC it redirects if I get the url slightly wrong eg wwww.bbc.co.uk or www.bbc.oc.uk.
Which I often do!
Deleting the history in Java works, but only temporarily, few hours at most.
Various alternatives but most common is click2find page that is linked.
It is driving me crazy, and is a work PC, so I don't have admin rights. Our IT team could not sort it either.
Hopefuly someone has the answer.
Good luck everyone, I know how frustrating it is.
To Mark J
Changing the DNS setting in your IP config - possible. Changing DNS on your router - EXTREMELY unlikely assuming you've set up an admin password.
15-May-2012
I did an expanded version of my accounts and here it is
Something to try to help you recover from virus when all else fails.
Nearly all virus files operate in 2 ways. They either compose a new file which is itself the virus; or they substitute an existing file for a 'dummy' file which is the virus with the same name.
Most anti-virus programs quarantine or erase the file identified by option choice; but non give you the option
of replacing the identified file with the real one, then locking that file in the permissions area [ forbid erase by your log in name ]. Especially problematic if the infected file is an essential boot file.
If your anti-virus program alerts you to a virus in a file while it is running by command [ initiate scan by you ],
pause the scan and replace the identified file with your backup file; now manually 'lock' the file by OS permissions as above then continue the scan. Do the same for each file encountered with a virus. This gives you time to find the initial command file that is doing the damage because it cannot initiate if the OS denies erase.
Now that we have locked files that attempt to be erased and substituted, we can look for the file or files that have been composed to initiate the actions. Time stamps tell you a lot and looking for files that suddenly appear is relatively easy. Most virus files are initiated from one of two places [ to cover all editions of windows ].
The first is in the 'documents and settings' folder usually under your logged in profile. By searching files by time stamp [ *.* ] you can pinpoint the exact file that was composed at the time you got the virus OR the nearest time to the present if you left scanning till later. If you find, say, 2 files composed at the nearest time to the present; erase them after noting their names. If they are EXE, COM, DLL, SYS, BAT files, you don’t need to do the substitution method [ not yet anyway ] just note and erase..
Now go to the windows\system32 directory and search again by time stamp. Remember, the created virus files will have the same time stamp [ or damn near close ]. Again, note the file names, erase the files - now go to your MIRROR BACK UP FILES on another physical drive [ you do have these, don't you ? ] and search for these names to see if they exist. If they do, copy the good files to where they should be and LOCK THEM by OS permissions [ forbid erase again ].
If the file you erased is NOT a valid file, we need to temporarily fool the virus composer into thinking that it exists already to do it's dirty work. This gives us time to root out any master file we might have missed that was placed somewhere we are not looking.
Make a notebook TXT file with the same name as the file that shouldn't be were you found it [ EG. xyz.sys ] Fill the text file with the word 'null' about a page worth will do. Save the file as xyz.sys and lock this by OS permissions as well [ just to be safe, in case the virus composer checks the byte value ].
What have we got ?. Well, we replaced all the suspect files with our back ups and LOCKED them by permissions. We put in dummy files that shouldn't be there and LOCKED them by permissions.
CONTINUE THE SCAN. Chances are, you won't see any more alerts but if you do; back to square one.
OK, now we have scanned to the end; do ANOTHER complete scan to be sure, to be sure. All clear ?
NOW we have a one list of file names that SHOULD NOT be present. Open the registry with 'regedit' in the run command window. Search for instances of each of these bogus files and erase them from the registry if found [ do not erase keys - just the file names themselves ]. The replaced and locked valid files [ valid ones from our mirror back up ] should be left alone as these are real files, not bogus ones.
now reboot your PC in normal mode. Do another scan. All clear ?,
Now, do your peeking at time stamps in the 2 areas I've mentioned and you should see no files created anywhere near the present date. We do the final peek to be sure that there is no file that even attempts to install a virus even if it's efforts are blocked by locked files. Hopefully, you should be all clear. If, for some reason, the PC will not boot to normal windows [ because you accidentally erased an essential file ]; boot to safe mode and copy [ lock ] the files again. There are only very few essential files that windows needs to boot to safe mode so really, this scenario would be rare indeed; I've never encountered it myself and I've used this method 3 times already in the last few years.
I use this method in 2 instances.
1. Immediately after realising I got a virus by running a program
2. When all efforts to get rid of a virus fail after being identified by my scanners [ the file recomposes itself ]
So far, I’ve managed to avoid doing a complete reload of OS with this last ditch effort.
The key to this method is having a scanner that identifies the infected file [ not necessary the 'master' file that composes the virus, just a file that got infected – and [ most important ] a complete backup of the boot drive, on another drive you can source your OS files from. For this, I use Karen's replicator [ free program ] and re-replicate the complete drive before I attempt to install anything. Hope this method is of some use to you people tearing your hair out.
Posted by: john neeting at May 17, 2012 6:26 PM