1

If I enter a URL incorrectly, my Firefox browser occasionally redirects me to http://searchguide.level3.com

  1. This occurs in Chrome too.
  2. I've restarted Firefox in safe mode, and it still happens
  3. I've restarted Windows 10 in safe mode, and it still happens
  4. I've installed Hitman Pro Alert. The scan found nothing, and could not prevent the redirect.
  5. My HOSTS file is clean.
  6. My ethernet settings IPv4 properties use Google's DNS: 8.8.8.8 and 8.8.4.4
  7. The only other issue I have is when visiting http://www.moneysavingexpert.com which produces numerous pop-up windows, unless I disable scripts.
  8. I have Comodo Internet Security (antivirus and firewall) installed, and it identifies nothing.

Any other suggestions?

kenorb
  • 26,615
iantresman
  • 111

3 Answers3

1

It's also very likely that you're using free public DNS servers between 4.2.2.1 and 4.2.2.6. This range of IPs is operated by Level 3's network, so configuration of their DNS is basically redirecting you to their search engine. See: What is 4.2.2.2?

Here are simple *nix shell command lines to check:

$ dig non-existing.domain
        ︙
;; ANSWER SECTION:
non-existing.domain.    10  IN  A   104.239.213.7
non-existing.domain.    10  IN  A   198.105.254.11
        ︙

$ dig non-existing.domain | grep SERVER
;; SERVER: 4.2.2.1#53(4.2.2.1)

If that's the case, you can change your DNS server to

  • the one your ISP is providing for your network,
  • your local DNS, such as your gateway/router1,
  • Google Public DNS: 8.8.8.8 and 8.8.4.4, or
  • OpenDNS: 208.67.222.222 and 208.67.220.220

Note that some DNS servers will give you an answer, containing the IP address of a search engine, for nonexistent domain names.  Others won’t give you any answer.  Many people are annoyed to be redirected to a search engine, but this behavior is not intrinsically malicious.

Related: Non-existing URLs redirect to “searchguide - level 3” in Safari at Apple.SE
_______________
1 of course then you have to worry about what real DNS server your gateway/router is using

Scott - Слава Україні
  • 22,532
kenorb
  • 26,615
0

Doing a search for 82.163.143.157 shows that this IP is from Israel. Which seemed suspicious to me. Looking around the internets I see that 82.163 ip address range brings up a lot of articles related to DSNUnlocker which is a Malware/Adware program. Should take a look in your installed programs directory and scheduled tasks as shown in https://forums.malwarebytes.com/topic/172208-removal-instructions-for-dns-unlocker/.

Javier Fonseca
  • 1
0

I can confirm that DNSUnlocker was the culprit, but I have no idea what program installed it. Although Hitman Pro was not as effective as I hoped, the following two programs were excellent, identifying and quarantining much malware:

  1. Malwarebytes AdwCleaner (free)
  2. Malwarebytes (free version) It's shame the premium version is so expensive.
iantresman
  • 111