Web pages all redirect to fake sites!!

Serendipity
Serendipity Posts: 6,975
edited December 2008 in The Clubhouse
So - I'm doing a simple Google search for a project yesterday and noticed that every site I click on gets redirected to a different site! For example, Polk Audio redirects to "Free Coupons."

Most of these websites are spammy "search" sites, so the first thing I think is that I've got a spyware infection.

However, I go on another PC and low and behold - I get the same thing!

Was my ISP hacked?
polkaudio RT35 Bookshelves
polkaudio 255c-RT Inwalls
polkaudio DSWPro550WI
polkaudio XRT12 XM Tuner
polkaudio RM6750 5.1

Front projection, 2 channel, car audio... life is good!
Post edited by Serendipity on
«1

Comments

  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    Attached is a pic of what I am talking about -

    Now Polk Audio redirects to lowpriceshopper.com!!

    P.S. I scanned for spyware too and couldn't find anything.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • shack
    shack Posts: 11,154
    edited December 2008
    You definitely have some malware infection from a virus or trojan that spyware removers won't fix. What antivirus are you running?
    "Just because you’re offended doesn’t mean you’re right." - Ricky Gervais

    "For those who believe, no proof is necessary. For those who don't believe, no proof is possible." - Stuart Chase

    "Consistency requires you to be as ignorant today as you were a year ago." - Bernard Berenson
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    My antivirus is AVG 8.0. It's always updated daily and I do scans all the time.

    For antispyware I use Spybot S&D and Ad-Aware.

    If I had a virus or trojan, why is this issue happening on EVERY computer attached to my home ISP? Especially my laptop which I just brought home yesterday? It would be a bit odd that none of this happens at school, but the day I take the laptop home I experience this problem?
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    Also, some of the PC's at home are never connected to the Internet (for example, my HTPC).

    I'm starting to think this is with my ISP - even a clean PC is doing this. (If I do a full format of my laptop and I get this again, then I'll know for sure.)
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    I can see where you are coming from.

    But this seems like a DNS attack on the ISP's side - which explains why machines with a clean install of XP still exhibit this problem.

    I'm going to get someone to bring a laptop over and see if their machine does this too.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • sucks2beme
    sucks2beme Posts: 5,601
    edited December 2008
    Did you run all the MS updates before surfing in general?.
    Were your other pc's turned on and on the network?
    You might be getting re-infected from another pc at the house.
    I recall something simular happening many years ago.
    "The legitimate powers of government extend to such acts only as are injurious to others. But it does me no injury for my neighbour to say there are twenty gods, or no god. It neither picks my pocket nor breaks my leg." --Thomas Jefferson
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    1. Yes, why? Does it make a difference?
    2. No, I made sure every other PC was turned off so that one PC couldn't infect another
    3. Sure, but my HTPC is standalone and has never been online before.

    I could just reformat one of the machines, isolate it from the network, and go to a neighbor's to use their internet connection. That way I'll know if it is the ISP or not.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    I have a question -

    If I go to Best Buy/CC and pick up a new PC, hook it up, make sure all the other PC's in the house are turne off, and the FIRST thing I get is the redirecting of sites, would that prove it's not a virus/trojan?
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • bobman1235
    bobman1235 Posts: 10,822
    edited December 2008
    Sounds to me like someone hacked your router and redirected your DNS server. Log into your router and make sure the DNS settings haven't been messed with.

    I set my DNS servers to use OpenDNS. At the very least that site will tell you how to change your DNS servers, no matter what you want them to point to.
    If you will it, dude, it is no dream.
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    bobman1235 wrote: »
    Sounds to me like someone hacked your router and redirected your DNS server. Log into your router and make sure the DNS settings haven't been messed with.

    I set my DNS servers to use OpenDNS. At the very least that site will tell you how to change your DNS servers, no matter what you want them to point to.

    Aha. That makes more sense. If someone hacked my router, this would clearly explain why a newly reformatted machine still got all the sites redirected.

    So what should I check for?
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • bobman1235
    bobman1235 Posts: 10,822
    edited December 2008
    If you're not sure, and you don't have any custom settings in your router, I'd just reset it to its factory state (check your owner's manual), then immediately make sure you change the password and your wireless encryption and all that.

    If you know what yo'ure doing, I'd just go in and look at the "static DNS" lines in the router setup, and make sure they're either blank (which will use your IP's DNS servers), or using something like OpenDNS that I linked to above.
    If you will it, dude, it is no dream.
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    No, they're not blank, and I don't recall it was like that before.

    I just got a new Lenovo laptop today - should I plug it into the router or not?
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • sucks2beme
    sucks2beme Posts: 5,601
    edited December 2008
    appadv wrote: »
    1. Yes, why? Does it make a difference?
    2. No, I made sure every other PC was turned off so that one PC couldn't infect another
    3. Sure, but my HTPC is standalone and has never been online before.

    I could just reformat one of the machines, isolate it from the network, and go to a neighbor's to use their internet connection. That way I'll know if it is the ISP or not.

    I had a customer site where not being up to date on the MS hotfixes was
    the kiss of death. The first time you opened IE, something like this happened.
    It was a HUGE site, and this happened to a number of us working there.
    I wish I could remember the details. It involved "hostfiles" in the windows directory. The problem would go from machine to machine.
    "The legitimate powers of government extend to such acts only as are injurious to others. But it does me no injury for my neighbour to say there are twenty gods, or no god. It neither picks my pocket nor breaks my leg." --Thomas Jefferson
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    Sure, I can understand that.

    My new laptop - it's all updated and secure, I'm just hesitant to connect it to the network. Would it get infected too?
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • John30_30
    John30_30 Posts: 1,024
    edited December 2008
    appadv wrote: »
    Sure, I can understand that.

    My new laptop - it's all updated and secure, I'm just hesitant to connect it to the network. Would it get infected too?

    Are you saying all your machines are compromised from just one clicking on the link? Typical AV's won't block them since port 80 (the Web) is open.

    You have to really look hard at some of those links in Google. It really sucks because some ultra-nasty malwares have been wired into the links. If they have a bunch of totally unassociated names in the link, beware. Also hover your cursor over it before you click on something, and check what website it references.
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    John30_30 wrote: »
    Are you saying all your machines are compromised from just one clicking on the link? Typical AV's won't block them since port 80 (the Web) is open.

    You have to really look hard at some of those links in Google. It really sucks because some ultra-nasty malwares have been wired into the links. If they have a bunch of totally unassociated names in the link, beware. Also hover your cursor over it before you click on something, and check what website it references.

    Yes, I noticed that the links are to sites that have TONS of malware!!

    I guess I'm not going to connect my new laptop to the 'net until I get to the bottom of this.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • mmadden28
    mmadden28 Posts: 4,283
    edited December 2008
    bobman1235 wrote: »
    If you're not sure, and you don't have any custom settings in your router, I'd just reset it to its factory state (check your owner's manual), then immediately make sure you change the password and your wireless encryption and all that.

    If you know what yo'ure doing, I'd just go in and look at the "static DNS" lines in the router setup, and make sure they're either blank (which will use your IP's DNS servers), or using something like OpenDNS that I linked to above.

    If your router was compromised, then resetting as bobman stated would be the first step.
    You could also try this first to rule out the browser (or proxies or any other malware) as the source of the issue:
    Go to a command prompt (Start>Run>cmd>OK) and type nslookup and hit enter.
    type www.polkaudio.com and hit enter.
    You should get something like this (ignore the **):
    > www.polkaudio.com
    Server: ****
    Address: ****

    Non-authoritative answer:
    Name: polkaudio.com
    Address: 72.32.55.205
    Aliases: www.polkaudio.com
    If you get something different for polkaudio, then you may have an issue with DNS on your router. If it comes back as above, then the router is not your issue.

    Next thing to try is to take that IP address, and use it in your browser.:
    http://72.32.55.205/forums
    When you use an IP address directly, no DNS resolution is required and will bypass requesting a DNS server to resolve it for you.
    If it works fine with the IP address, then some malware is intercepting the DNS requests. If it does not work (or serves up the bogus pages), then some malware is incercepting the entire session. This can include a form of proxying, etc. Some toolbars do this as well.

    Try that and let us know what your results are
    ____________________
    This post is a natural product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

    HT:Onkyo 805, Emotiva XPA-5, Mitsu 52" 1080p DLP / polkaudio RTi12, CSIa6, FXi3, uPro4K
    2-chnl : Pio DV-46AV (SACD), Dodd ELP, Emotiva XPA-1s, XPA-2, Odyssey Khartago, LSi9, SDA-SRS 2 :cool:, SB Duet, MSB & Monarchy DACs, Yamaha PX3 TT, SAE Tuner...
    Pool: Atrium 60's/45's
  • mmadden28
    mmadden28 Posts: 4,283
    edited December 2008
    oh and if you do look at your router's config, and it does have a static DNS server entry, let us know what that is as well.
    ____________________
    This post is a natural product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

    HT:Onkyo 805, Emotiva XPA-5, Mitsu 52" 1080p DLP / polkaudio RTi12, CSIa6, FXi3, uPro4K
    2-chnl : Pio DV-46AV (SACD), Dodd ELP, Emotiva XPA-1s, XPA-2, Odyssey Khartago, LSi9, SDA-SRS 2 :cool:, SB Duet, MSB & Monarchy DACs, Yamaha PX3 TT, SAE Tuner...
    Pool: Atrium 60's/45's
  • mmadden28
    mmadden28 Posts: 4,283
    edited December 2008
    I just reread your original post and realized you were having an issue with google searched not everything on the internet, is that right?
    If so , here are the nslookup results for google:
    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 64.233.169.103, 64.233.169.104, 64.233.169.99, 64.233.169.147
    Aliases: www.google.com

    Try putting those into the URL:
    http://64.233.169.103
    and try your polk audio search again.

    Also, go to the command prompt and do the nslookup for google.com yourself and report back what it gives you.

    Also, look at your hosts file. The hosts file is a text fiel but has no extension. Its located here C:\WINDOWS\system32\drivers. This file is used before any DNS resolution is requested by a DNS server. A foul entry here will also cause a similar result and could have been modified by malware.

    Again let me know your results.
    ____________________
    This post is a natural product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

    HT:Onkyo 805, Emotiva XPA-5, Mitsu 52" 1080p DLP / polkaudio RTi12, CSIa6, FXi3, uPro4K
    2-chnl : Pio DV-46AV (SACD), Dodd ELP, Emotiva XPA-1s, XPA-2, Odyssey Khartago, LSi9, SDA-SRS 2 :cool:, SB Duet, MSB & Monarchy DACs, Yamaha PX3 TT, SAE Tuner...
    Pool: Atrium 60's/45's
  • mmadden28
    mmadden28 Posts: 4,283
    edited December 2008
    Another thing you can try is download a Linux Live distro, such as Ubuntu. You can boot your computer directly from the CD, without having to install it or mess with your existing stuff. This way you can run a browser from there and see if you get the same redirected site problem.
    ____________________
    This post is a natural product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

    HT:Onkyo 805, Emotiva XPA-5, Mitsu 52" 1080p DLP / polkaudio RTi12, CSIa6, FXi3, uPro4K
    2-chnl : Pio DV-46AV (SACD), Dodd ELP, Emotiva XPA-1s, XPA-2, Odyssey Khartago, LSi9, SDA-SRS 2 :cool:, SB Duet, MSB & Monarchy DACs, Yamaha PX3 TT, SAE Tuner...
    Pool: Atrium 60's/45's
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    Okay - so I go back to my dorm and the Internet connection here is working fine.

    I noticed that my router at home had an entry in the manually added DNS category, so something's up.

    But both my machines work fine when brought to school.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • bobman1235
    bobman1235 Posts: 10,822
    edited December 2008
    Just remove the entry in the DNS category and you should be fixed. THen make sure you change the password for the router....
    If you will it, dude, it is no dream.
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    bobman1235 wrote: »
    Just remove the entry in the DNS category and you should be fixed. THen make sure you change the password for the router....

    Thanks. One of my machines, however, is now displaying random popups and icons are appearing on the desktop out of nowhere. So I guess that one got malware too :(
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    Dangit. How does stuff like this happen?

    Totally malware'd my HP notebook and screwed up my router. At least now I know it was the router, and good thing I didn't connect my new PC to the router!!

    I didn't even know a hacked router could lead to malware.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • bobman1235
    bobman1235 Posts: 10,822
    edited December 2008
    If the hack redirected you to malicious sites....
    If you will it, dude, it is no dream.
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    bobman1235 wrote: »
    If the hack redirected you to malicious sites....

    I get that part...

    The thing is, my router's password is WAY too long for anyone to guess - plus there are %, ?, and $ marks in it. But then who really knows how secure WEP is??
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • Systems
    Systems Posts: 14,873
    edited December 2008
    appadv wrote: »
    I get that part...

    The thing is, my router's password is WAY too long for anyone to guess - plus there are %, ?, and $ marks in it. But then who really knows how secure WEP is??

    Your confusing your wep encryption with your router login, those are two different things.

    Is the password to log into your router still the default?
    Testing
    Testing
    Testing
  • mmadden28
    mmadden28 Posts: 4,283
    edited December 2008
    Lorthos wrote: »
    Your confusing your wep encryption with your router login, those are two different things.

    Is the password to log into your router still the default?

    Yes it sounds like you may have the WiFi confuised with the Router login.
    And WEP is not secure for WiFi. Use WPA2 if you can.
    ____________________
    This post is a natural product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

    HT:Onkyo 805, Emotiva XPA-5, Mitsu 52" 1080p DLP / polkaudio RTi12, CSIa6, FXi3, uPro4K
    2-chnl : Pio DV-46AV (SACD), Dodd ELP, Emotiva XPA-1s, XPA-2, Odyssey Khartago, LSi9, SDA-SRS 2 :cool:, SB Duet, MSB & Monarchy DACs, Yamaha PX3 TT, SAE Tuner...
    Pool: Atrium 60's/45's
  • Serendipity
    Serendipity Posts: 6,975
    edited December 2008
    mmadden28 wrote: »
    Yes it sounds like you may have the WiFi confuised with the Router login.
    And WEP is not secure for WiFi. Use WPA2 if you can.

    Are you referring to the password for the config page?

    I just type username = admin, password = password to get into the router.
    polkaudio RT35 Bookshelves
    polkaudio 255c-RT Inwalls
    polkaudio DSWPro550WI
    polkaudio XRT12 XM Tuner
    polkaudio RM6750 5.1

    Front projection, 2 channel, car audio... life is good!
  • Fireman32
    Fireman32 Posts: 4,845
    edited December 2008
    Lasareath wrote: »
    Download this: http://www.malwarebytes.org/mbam.php

    I just used it on a client's laptop that had 131 trojans. It removed them all.

    It's a very powerful program.

    +100 for this program. We had a few machines at the office get infected and was able to remove them with this. Saved me from having to re-image the computer.