PDA

View Full Version : Help Get Rid Of mynewslink!!



Tim_Olaguna
5th April 2006, 08:09 PM
I'm running Fedora 5 and using Firefox as my browser. On random pages I get "Welcome to mynewslink.com", something I don't want at all. Sometimes it takes over whole pages in place of a link I have clicked on to access. Even Google!! Sometimes it just shows up in a portion (column, window, ad block, etc.) of a page. I have tried eliminating cookies. No help. Does anyone have any ideas? I do not get this unwanted link on my Windows or iMac boxes.

bob
5th April 2006, 08:46 PM
Well, your browser's hijacked and it certainly does happen on macs and windows boxes. Here's a couple of links that Google provided:

http://www.computing.net/mac/wwwboard/forum/11604.html
http://support.microsoft.com/newsgroups/newsReader.aspx?dg=microsoft.public.windows.server .sbs&tid=28eb5e19-2fc5-4a30-a909-f5c306dbf358&p=1

Good luck

CursedD
17th October 2008, 02:02 AM
Hi. I'm writing to clear up some confusion and abundance of bad information online regarding the mynewslink.com "hijacker".

I was affected by this for months. It drove me insane. I'm using Linux, and it affected multiple browsers. But it isn't some sort of amazing cross-platform, cross-browser malware, it's misconfigured network settings, plus some very unscrupulous people taking advantage of it.

The hijacking affects all systems- Windows PCs, Linux, Macs, so forth. You can search for it with tools, but you won't find it.

When you set up your machine, did you choose an imaginary domain? I did, I chose "bug.net". The people who handle this have set it up so that whenever any request for "bug.net" is made, or anything that includes it at the end, it'll take you to the mynewslink.com page. Thus whenever there is any problem with any web address you use, ever, it'll then try the one under "bug.net", and it'll pretend to exist, and serve you the mynewslink.com page. At the moment, this resolved to 66.116.109.101, as does everything under bug.net.

If you chose any imaginary name that these people own, or have access to, it'll shunt you to the mynewslink.com page at seemingly random intervals. You won't know at the time, but this happens when the first lookup fails. At present (October 2008), you'll be sent to a domains.googlesyndication.com page that includes mynewslink.com in the URL.

The solution is to clean up these settings. Find where you have specified an imaginary domain, and remove it. Use "localdomain" instead, if you must use something.

For Windows XP:

To test if you are affected, do this:
- Left click Start
- Left click Run.
- Type "cmd" (no quotes).
- In the box that comes up, type: nslookup localhost
- If the result contains "127.0.0.1", you are okay. If the result does not, AND contains another address, you are probably affected.

To fix:

- Left click Start.
- Left click Control Panel.
- Double-click Network Connections.
- Right click "Local Network Connection".
- Left click Properties.
- Double-click "Internet Protocol (TCP/IP)".
- Click Advanced.
- Click DNS.
- Look down at any of the DNS suffixes listed, and remove any imaginary ones.

There may be other steps needed, check with your local IT guru.

If you're using Linux:

If you're not sure whether to apply this change or not, run this:

nslookup localhost

If you get *anything* but 127.0.0.1, then you are affected by this or a similar problem. localhost should never return anything but this address.

You can also test it like so:

nslookup really-long-domain-name-that-does-not-exist-3298473298.(your imaginary domain here)

eg.

nslookup zyzyzyzyzyzyzyzyzyahshshshshshsh.bug.net

If something valid comes back, you may have a problem. Try the same address in your browser.

To fix, look for a line like this in /etc/resolv.conf:

domain bug.net

Change it to:

domain localdomain

And everything will be solved.

Once you've cleaned it up, look for other references to the imaginary domain (eg. bug.net) under /etc. This will save you some time:

find /etc -type f -exec grep imaginary.domain.here /dev/null {} \;

I don't have access to a Mac OS X box, ask your local guru for help. The Linux tips will probably apply to some degree here.

This problem has wasted hours of my time, and no doubt this dirty dealing is making the people doing it a lot of money in ad revenue (or stolen passwords, or identity theft). I'd like to return them the favour by spreading the information on how to fix this around. With any luck I can make a severe dent in the amount of money they make from this fraud as special thanks for them wasting so much of my time. I hope that by posting this information in enough places I can cost these fraudsters a lot of money. If you're behind this, consider this my special thankyou for doing this to me. Hope it costs you a fortune.

Anti-malware and anti-virus developers: keep an eye out for this trick, if you aren't already. You can test for it by trying to lookup a long random string prepended to the current domain name, and seeing if you get results. There aren't many legitimate uses for a wildcard capture of such names when specified as a local domain on a private subnet- worth a warning, at least.

Hope this helps people out of a similar jam.