1

If I enter a URL incorrectly, my Firefox browser occasionally redirects me to http://searchguide.level3.com

  1. This occurs in Chrome too.
  2. I've restarted Firefox in safe mode, and it still happens
  3. I've restarted Windows 10 in safe mode, and it still happens
  4. I've installed Hitman Pro Alert. The scan found nothing, and could not prevent the redirect.
  5. My HOSTS file is clean.
  6. My ethernet settings IPv4 properties use Google's DNS: 8.8.8.8 and 8.8.4.4
  7. The only other issue I have is when visiting http://www.moneysavingexpert.com which produces numerous pop-up windows, unless I disable scripts.
  8. I have Comodo Internet Security (antivirus and firewall) installed, and it identifies nothing.

Any other suggestions?

kenorb
  • 24,736
  • 27
  • 129
  • 199
iantresman
  • 111
  • 4
  • What's the output of a nslookup to any domain that redirects you to level3? Does it happen with other machines in the same network too? – Patrick R. Jan 30 '17 at 16:44
  • Have you checked under Advanced settings for IPv4 that the Google DNS are the only ones specified for your Network Adapter? – Kārlis K. Jan 17 '17 at 20:09
  • Bullseye! Found new entries@ 82.163.143.157 and 82.163.142.159 (1) You'd think that the main DNS screen would indicate there are settings that are not showing. (2) Any way to find out what injected the settings? – iantresman Jan 17 '17 at 20:18
  • The usual IPv4 settings panel displays only the first two entries in the DNS lookup list, hence the additional entries can be "hidden" ... If none of the anti-malware/anti-virus software detected anything on your system, I'd assume that whatever did that is no longer on your system, it could have been a on-time script event kind of a deal that you got by visiting an unsafe or infected website (sometimes even Adverts on an otherwise completely safe website can get your computer infected). – Kārlis K. Jan 18 '17 at 09:08
  • You could try out Sophos Home... they seem to be lately specializing in catching and detecting cryptolockers and various hijackers. – Kārlis K. Jan 18 '17 at 09:09

3 Answers3

1

It's also very likely that you're using free public DNS servers between 4.2.2.1 and 4.2.2.6. This range of IPs is operated by Level 3's network, so configuration of their DNS is basically redirecting you to their search engine. See: What is 4.2.2.2?

Here are simple *nix shell command lines to check:

$ dig non-existing.domain
        ︙
;; ANSWER SECTION:
non-existing.domain.    10  IN  A   104.239.213.7
non-existing.domain.    10  IN  A   198.105.254.11
        ︙

$ dig non-existing.domain | grep SERVER
;; SERVER: 4.2.2.1#53(4.2.2.1)

If that's the case, you can change your DNS server to

  • the one your ISP is providing for your network,
  • your local DNS, such as your gateway/router1,
  • Google Public DNS: 8.8.8.8 and 8.8.4.4, or
  • OpenDNS: 208.67.222.222 and 208.67.220.220

Note that some DNS servers will give you an answer, containing the IP address of a search engine, for nonexistent domain names.  Others won’t give you any answer.  Many people are annoyed to be redirected to a search engine, but this behavior is not intrinsically malicious.

Related: Non-existing URLs redirect to “searchguide - level 3” in Safari at Apple.SE
_______________
1 of course then you have to worry about what real DNS server your gateway/router is using

Scott - Слава Україні
  • 21,399
  • 46
  • 64
  • 121
kenorb
  • 24,736
  • 27
  • 129
  • 199
  • I edited your answer to clarify that, on the first ``dig`` command, you are not showing the complete output from the command.  (See comments in the markdown for other options.)  Please make similar change(s) to [your answer on Ask Different](https://apple.stackexchange.com/a/285617), since I don’t have an account there. Consider also saying something about the significance of the ``->>HEADER<<-`` line (i.e., ``status`` field `NOERROR` vs. `NXDOMAIN`, and ``ANSWER: 1`` vs. ``ANSWER: 0``). – Scott - Слава Україні Jun 17 '17 at 21:07
0

Doing a search for 82.163.143.157 shows that this IP is from Israel. Which seemed suspicious to me. Looking around the internets I see that 82.163 ip address range brings up a lot of articles related to DSNUnlocker which is a Malware/Adware program. Should take a look in your installed programs directory and scheduled tasks as shown in https://forums.malwarebytes.com/topic/172208-removal-instructions-for-dns-unlocker/.

Javier Fonseca
  • 1
  • 1
0

I can confirm that DNSUnlocker was the culprit, but I have no idea what program installed it. Although Hitman Pro was not as effective as I hoped, the following two programs were excellent, identifying and quarantining much malware:

  1. Malwarebytes AdwCleaner (free)
  2. Malwarebytes (free version) It's shame the premium version is so expensive.
iantresman
  • 111
  • 4