Questions

Websites Redirecting to localhost

Tags:
+
0 Votes
Locked

Websites Redirecting to localhost

angeln186
Hi Guys,

I am having a problem with a windows xp computer. It is definitely infected with some sort of virus. google.com loads fine but the searches from google keep getting redirected somewhere else.
Whats more is that when i try to ping antivirus and anti spyware websites, I am directed to the localhost address of 127.0.0.1.
I have tried lavasoft adaware, spybot , symantec antivirus, malware malbytes and hijack this but to no avail.
Any ideas, if anybody has experienced this before.
  • +
    0 Votes
    NotSoChiGuy

    ....logging onto the PC as a different user, and seeing if it still happens?

    I bring this up, because your problem sounds very similar to one we encountered not too long ago (about 8 or so days). All of the typical scanners found nothing (even tried a couple rootkit scanners). However, there was definitely something wrong.

    Once someone else logged onto the PC, the same issues didn't occur. We copied the user's data, blew away the old profile and created a new one, and it was golden.

    We're still in the process of going back through the Websense logs to the start date of the issue, to see if we can determine anything other than something must have been dropped into the IE cache (problem didn't occur with FireFox). However, it was a laptop user, so it could have easily happened outside our perimeter.

    Never have seen anything like it that wasn't detected by any tool at all.

    +
    0 Votes
    angeln186

    Yes I have tried switching users and I do not believe it to be 100% browser related because i am redirected to localhost when i try pinging from the command prompt.
    And the redirection of links after a google search happens in firefox and IE as well as for any user.

    +
    0 Votes
    GMPont

    Are you running an "Internet Security" package like Norton's or McAfee's? I've seen them hose connections many a time and I know Norton redirects to 127.0.0.1 to filter your web traffic. If you have one of these packages, turn off the firewall and get rid of their proxy settings. If you still have the installation files or CD, it may be easier to remove the package temporarily to see if it resolves the problem.

    If that doesn't work or doesn't apply, I would recommend checking your DNS settings, proxy settings, and HOSTS file.

    You seemed to have tried most of the anti-malware software that I would recommend, but I would also try CoolWebShredder.

    If none of this resolves your issue, you may have to slave your hard drive on another PC running a clean (and secure) OS to run scans. I would definitely try more than one AV engine, as they all miss stuff these days. Bitdefender, Panda, Trend Micro, and a bunch of others offer free scans via their web-site(s).

    +
    0 Votes
    angeln186

    The thing is if I type the website address in myself, it works (unless its an anti virus related site which is directed to localhost).
    When I google these addresses and click on the link that comes up thats when i get redirected to some other site usually with IP 64.111.196.117

    +
    0 Votes
    GMPont

    You are definitely infected, alright. That IP is a known malware IP. You will be hard pressed to remove what you have while booting into that OS. It might not be impossible, but exceedingly difficult at the very least.

    If you know anyone with a desktop PC, I would slave your hard to theirs and run as many free av scans as you can from major AV manufacturers: Trend Micro, Bitdefender, Panda, etc. You can usually just do a google search for "vendorname" free online scan and it will come up as the first link. Just be careful because there are a lot of fake ones out there that will further infect you if you're not careful.

    Also, it is worth mentioning that you want to navigate around that drive as little as possible while it is slaved in someone else's machine, at least until it is clean.

    +
    0 Votes
    ---TK---

    Personally, I would back up your data and apps, and reformat the PC... Might be a little quicker.

    But then again, it might be a little more personal now... Its always nice to overcome the issue, and claim victory!

    +
    0 Votes
    ravi_sukla

    I was having the same issue and ran nortan Malwarebyte,antibot etc no luck so finally started looking at hidden files and found resycler in root of C: C:\resycled\boot.com etc which is nothing but a dns changer.If you are not severely effected then you will see DNS field in your TCP/IP settings is populated with some DNS server address even if you set your PC on automatically get IP.If its severe then you will not find this settings but see this trojans in hidden files.Best thing you can do is update your Anti malware run full scan.

    +
    0 Votes
    redwards44

    I had the same resycler\boot.com issue with a client last night. Avast detected it and deleted the folder but we still had the wrong DNS information in the TCP/IP. We ended up just doing a system restore to 3 weeks ago. So far everything is working fine.

    +
    0 Votes
    cookspc

    I'm sure you have it solved by now but it is usually a rootkit installed as a device driver named TDDSxxxx.sys. The key to removing it is using device manager to disable it. You have to select "show hidden devices" to see it then disable it... DO NOT UNINSTALL it will just be reinstalled. After it is disabled run you malware removers and they can remove it. Until it is disabled it cannot be removed. The antivirus program must have rootkit detectors to be able to see and remove it. I have used AVG 8 and Malwarebytes to detect and remove, after disabling. Others may work.

  • +
    0 Votes
    NotSoChiGuy

    ....logging onto the PC as a different user, and seeing if it still happens?

    I bring this up, because your problem sounds very similar to one we encountered not too long ago (about 8 or so days). All of the typical scanners found nothing (even tried a couple rootkit scanners). However, there was definitely something wrong.

    Once someone else logged onto the PC, the same issues didn't occur. We copied the user's data, blew away the old profile and created a new one, and it was golden.

    We're still in the process of going back through the Websense logs to the start date of the issue, to see if we can determine anything other than something must have been dropped into the IE cache (problem didn't occur with FireFox). However, it was a laptop user, so it could have easily happened outside our perimeter.

    Never have seen anything like it that wasn't detected by any tool at all.

    +
    0 Votes
    angeln186

    Yes I have tried switching users and I do not believe it to be 100% browser related because i am redirected to localhost when i try pinging from the command prompt.
    And the redirection of links after a google search happens in firefox and IE as well as for any user.

    +
    0 Votes
    GMPont

    Are you running an "Internet Security" package like Norton's or McAfee's? I've seen them hose connections many a time and I know Norton redirects to 127.0.0.1 to filter your web traffic. If you have one of these packages, turn off the firewall and get rid of their proxy settings. If you still have the installation files or CD, it may be easier to remove the package temporarily to see if it resolves the problem.

    If that doesn't work or doesn't apply, I would recommend checking your DNS settings, proxy settings, and HOSTS file.

    You seemed to have tried most of the anti-malware software that I would recommend, but I would also try CoolWebShredder.

    If none of this resolves your issue, you may have to slave your hard drive on another PC running a clean (and secure) OS to run scans. I would definitely try more than one AV engine, as they all miss stuff these days. Bitdefender, Panda, Trend Micro, and a bunch of others offer free scans via their web-site(s).

    +
    0 Votes
    angeln186

    The thing is if I type the website address in myself, it works (unless its an anti virus related site which is directed to localhost).
    When I google these addresses and click on the link that comes up thats when i get redirected to some other site usually with IP 64.111.196.117

    +
    0 Votes
    GMPont

    You are definitely infected, alright. That IP is a known malware IP. You will be hard pressed to remove what you have while booting into that OS. It might not be impossible, but exceedingly difficult at the very least.

    If you know anyone with a desktop PC, I would slave your hard to theirs and run as many free av scans as you can from major AV manufacturers: Trend Micro, Bitdefender, Panda, etc. You can usually just do a google search for "vendorname" free online scan and it will come up as the first link. Just be careful because there are a lot of fake ones out there that will further infect you if you're not careful.

    Also, it is worth mentioning that you want to navigate around that drive as little as possible while it is slaved in someone else's machine, at least until it is clean.

    +
    0 Votes
    ---TK---

    Personally, I would back up your data and apps, and reformat the PC... Might be a little quicker.

    But then again, it might be a little more personal now... Its always nice to overcome the issue, and claim victory!

    +
    0 Votes
    ravi_sukla

    I was having the same issue and ran nortan Malwarebyte,antibot etc no luck so finally started looking at hidden files and found resycler in root of C: C:\resycled\boot.com etc which is nothing but a dns changer.If you are not severely effected then you will see DNS field in your TCP/IP settings is populated with some DNS server address even if you set your PC on automatically get IP.If its severe then you will not find this settings but see this trojans in hidden files.Best thing you can do is update your Anti malware run full scan.

    +
    0 Votes
    redwards44

    I had the same resycler\boot.com issue with a client last night. Avast detected it and deleted the folder but we still had the wrong DNS information in the TCP/IP. We ended up just doing a system restore to 3 weeks ago. So far everything is working fine.

    +
    0 Votes
    cookspc

    I'm sure you have it solved by now but it is usually a rootkit installed as a device driver named TDDSxxxx.sys. The key to removing it is using device manager to disable it. You have to select "show hidden devices" to see it then disable it... DO NOT UNINSTALL it will just be reinstalled. After it is disabled run you malware removers and they can remove it. Until it is disabled it cannot be removed. The antivirus program must have rootkit detectors to be able to see and remove it. I have used AVG 8 and Malwarebytes to detect and remove, after disabling. Others may work.