mynewslink.com hijacker

[jlaubza]

Please help! My Vista system browser has been hijacked - I type in any URL into Internet Explorer, it stays in the URL line but the browser goes to mynewslink.com everytime. I installed Opera 9.24 and have the same problem on it.

I have checked the Hosts file and it shows nothing untoward.

This problem has been discussed previously but no answer was given.

I have scanned with various AV and Malware packages e.g. Trojan Remover, Windows Defender and MacAffee AV (installed on system).

This problem has been noted a few times previously on the web, in Italy, Argentina, Brazil, the UK and the States, first reference I could find was February 2006 but no one has come up with an answer.

HiJack scan does not show anything and one user reported that it went away afater a few days and then returned a month later.

The problem is that I cannot use my browsers at all. So it is serious since I cannot get onto the web.

Thanks

 

[muckshifter]

Time to read some more ...


http://inetexplorer.mvps.org/tshoot.html

 

[jlaubza]

Browser Hijack Problem - Mynewslink.com

Thanks Muckshifter. There's a lot to do - I'll post a follow up once the problem has been sorted. I have in the meantime flushed the DNS cache but it made no difference.

Cheers
Jlaubza

 

[jlaubza]

follow up - the problem spontaneously disappeared 24 hours later- this conforms to previous postings by other victims - now I have to wait and see if it comes back a month later. At least my browser is working again.

Jlaubza

 

[Abarbarian]

Hello jlaubza and welcome to pcreview.

In order to make sure your computer is truly clean, I would like you to post an HJT log.

Download and rename HijackThis (HJT)​

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename.
  • Type in crusty.exe and press Enter.
  • Right-click on crusty.exe and select Send To > Desktop (create shortcut)
• From the desktop open Hiajckthis.
• If using Windows Vista, Right-click and Run As Administrator.
• Click on the Do a system scan and save a log file button
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
  • Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to crusty, we will still refer to it as Hijackthis or HJT.

Regards Jason

This thread is for the use of jlaubza ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in the Security, Spyware and Viruses forum

Why are you telling him to rename the HijackThis.exe ????

 

[Abarbarian]

Because some forms of malware can hide from hijackthis.exe

Regards Jason

Ah ah !

Thanks.

 

[jlaubza]

update

Thanks for the guidelines, I'll follow up on this. Will take a day or two as the machine is in use by my wife during the day. In the meantime, the problem reappeared this morning (Sunday). The HP laptop in question is being used at a client and automatically logs on into the client's domain.

My wife, who uses the laptop, rebooted into her original user domain and was then able to get the browser to open without a problem. The problem therefore is associated with the client's domain. Does this help to diagnose the cause?

Thanks
Jlaubza

 

[Cursed]

Solution for mynewslink.com hijacker

Hi. I'm writing to clear up some confusion and abundance of bad information online regarding the mynewslink.com "hijacker".

I was affected by this for months. It drove me insane. I'm using Linux, and it affected multiple browsers. But it isn't some sort of amazing cross-platform, cross-browser malware, it's misconfigured network settings, plus some very unscrupulous people taking advantage of it.

The hijacking affects all systems- Windows PCs, Linux, Macs, so forth. You can search for it with tools, but you won't find it.

When you set up your machine, did you choose an imaginary domain? I did, I chose "bug.net". The people who handle this have set it up so that whenever any request for "bug.net" is made, or anything that includes it at the end, it'll take you to the mynewslink.com page. Thus whenever there is any problem with any web address you use, ever, it'll then try the one under "bug.net", and it'll pretend to exist, and serve you the mynewslink.com page. At the moment, this resolved to 66.116.109.101, as does everything under bug.net.

If you chose any imaginary name that these people own, or have access to, it'll shunt you to the mynewslink.com page at seemingly random intervals. You won't know at the time, but this happens when the first lookup fails. At present (October 2008), you'll be sent to a domains.googlesyndication.com page that includes mynewslink.com in the URL.

The solution is to clean up these settings. Find where you have specified an imaginary domain, and remove it. Use "localdomain" instead, if you must use something.

For Windows XP:

To test if you are affected, do this:
- Left click Start
- Left click Run.
- Type "cmd" (no quotes).
- In the box that comes up, type: nslookup localhost
- If the result contains "127.0.0.1", you are okay. If the result does not,
AND contains another address, you are probably affected.

To fix:

- Left click Start.
- Left click Control Panel.
- Double-click Network Connections.
- Right click "Local Network Connection".
- Left click Properties.
- Double-click "Internet Protocol (TCP/IP)".
- Click Advanced.
- Click DNS.
- Look down at any of the DNS suffixes listed, and remove any imaginary ones.

There may be other steps needed, check with your local IT guru.

If you're using Linux:

If you're not sure whether to apply this change or not, run this:

nslookup localhost

If you get *anything* but 127.0.0.1, then you are affected by this or a similar problem. localhost should never return anything but this address.

You can also test it like so:

nslookup really-long-domain-name-that-does-not-exist-3298473298.(your imaginary domain here)

eg.

nslookup zyzyzyzyzyzyzyzyzyahshshshshshsh.bug.net

If something valid comes back, you may have a problem. Try the same address in your browser.

To fix, look for a line like this in /etc/resolv.conf:

domain bug.net

Change it to:

domain localdomain

And everything will be solved.

Once you've cleaned it up, look for other references to the imaginary domain (eg. bug.net) under /etc. This will save you some time:

find /etc -type f -exec grep imaginary.domain.here /dev/null {} \;

I don't have access to a Mac OS X box, ask your local guru for help. The Linux tips will probably apply to some degree here.

This problem has wasted hours of my time, and no doubt this dirty dealing is making the people doing it a lot of money in ad revenue (or stolen passwords, or identity theft). I'd like to return them the favour by spreading the information on how to fix this around. With any luck I can make a severe dent in the amount of money they make from this fraud as special thanks for them wasting so much of my time. I hope that by posting this information in enough places I can cost these fraudsters a lot of money. If you're behind this, consider this my special thankyou for doing this to me. Hope it costs you a fortune.

Anti-malware and anti-virus developers: keep an eye out for this trick, if you aren't already. You can test for it by trying to lookup a long random string prepended to the current domain name, and seeing if you get results. There aren't many legitimate uses for a wildcard capture of such names when specified as a local domain on a private subnet- worth a warning, at least.

Hope this helps people out of a similar jam.