mynewslink.com redirect?

M

Mike B

Has anyone had an experience like this? We've got a client that
on one PC every month whenever they try to browse in either IE or
Netscape the page gets redirected to mynewslink.com.
This happens for about 3-4 days then mysteriously stops until the
next month. I've tried everything I can think of: CWShredder, Spybot,
Spysweeper, HijackThis and everything looks clean.
Even the hosts file is fine, and LSPFix shows only standard LSPs.
I'm stumped and can't find anything via Google except 1-2 posts just
describing the same symptoms w/o a cure.

Tia,

Mike
 
C

coaster

Joined
Nov 29, 2006
Messages
1
Reaction score
0
Has anyone else seen this?? I just started getting this on two PC's on my network Sbybot dose not fix it any help would be appreciated
 
C

Cursed

Joined
Oct 17, 2008
Messages
2
Reaction score
0
Hi. I'm writing to clear up some confusion and abundance of bad information online regarding the mynewslink.com "hijacker".

I was affected by this for months. It drove me insane. I'm using Linux, and it affected multiple browsers. But it isn't some sort of amazing cross-platform, cross-browser malware, it's misconfigured network settings, plus some very unscrupulous people taking advantage of it.

The hijacking affects all systems- Windows PCs, Linux, Macs, so forth. You can search for it with tools, but you won't find it.

When you set up your machine, did you choose an imaginary domain? I did, I chose "bug.net". The people who handle this have set it up so that whenever any request for "bug.net" is made, or anything that includes it at the end, it'll take you to the mynewslink.com page. Thus whenever there is any problem with any web address you use, ever, it'll then try the one under "bug.net", and it'll pretend to exist, and serve you the mynewslink.com page. At the moment, this resolved to 66.116.109.101, as does everything under bug.net.

If you chose any imaginary name that these people own, or have access to, it'll shunt you to the mynewslink.com page at seemingly random intervals. You won't know at the time, but this happens when the first lookup fails. At present (October 2008), you'll be sent to a domains.googlesyndication.com page that includes mynewslink.com in the URL.

The solution is to clean up these settings. Find where you have specified an imaginary domain, and remove it. Use "localdomain" instead, if you must use something.

For Windows XP:

To test if you are affected, do this:
- Left click Start
- Left click Run.
- Type "cmd" (no quotes).
- In the box that comes up, type: nslookup localhost
- If the result contains "127.0.0.1", you are okay. If the result does not, AND contains another address, you are probably affected.

To fix:

- Left click Start.
- Left click Control Panel.
- Double-click Network Connections.
- Right click "Local Network Connection".
- Left click Properties.
- Double-click "Internet Protocol (TCP/IP)".
- Click Advanced.
- Click DNS.
- Look down at any of the DNS suffixes listed, and remove any imaginary ones.

There may be other steps needed, check with your local IT guru.

If you're using Linux:

If you're not sure whether to apply this change or not, run this:

nslookup localhost

If you get *anything* but 127.0.0.1, then you are affected by this or a similar problem. localhost should never return anything but this address.

You can also test it like so:

nslookup really-long-domain-name-that-does-not-exist-3298473298.(your imaginary domain here)

eg.

nslookup zyzyzyzyzyzyzyzyzyahshshshshshsh.bug.net

If something valid comes back, you may have a problem. Try the same address in your browser.

To fix, look for a line like this in /etc/resolv.conf:

domain bug.net

Change it to:

domain localdomain

And everything will be solved.

Once you've cleaned it up, look for other references to the imaginary domain (eg. bug.net) under /etc. This will save you some time:

find /etc -type f -exec grep imaginary.domain.here /dev/null {} \;

I don't have access to a Mac OS X box, ask your local guru for help. The Linux tips will probably apply to some degree here.

This problem has wasted hours of my time, and no doubt this dirty dealing is making the people doing it a lot of money in ad revenue (or stolen passwords, or identity theft). I'd like to return them the favour by spreading the information on how to fix this around. With any luck I can make a severe dent in the amount of money they make from this fraud as special thanks for them wasting so much of my time. I hope that by posting this information in enough places I can cost these fraudsters a lot of money. If you're behind this, consider this my special thankyou for doing this to me. Hope it costs you a fortune.

Anti-malware and anti-virus developers: keep an eye out for this trick, if you aren't already. You can test for it by trying to lookup a long random string prepended to the current domain name, and seeing if you get results. There aren't many legitimate uses for a wildcard capture of such names when specified as a local domain on a private subnet- worth a warning, at least.

Hope this helps people out of a similar jam.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows XP with Internet Complications 2
IE6 Search Hijack 8
'attempt to access invalid address' error when running dos software in xp 4
Frequently Asked Questions (FAQ) Feb 7 4
FWT Newsletter - Weekly - November 3, 2003 2
FWT Newsletter - Weekly - October 11, 2004 0
FWT Newsletter - Weekly - October 4, 2004 2
Dump of perfection Test 1

Top