Monday, March 09, 2015

Fix stylene.net and bestwebnutfunblack.org redirect (especially for Google Docs)


As a victim of the browser hijacking/redirecting malware for more than 3 months, it became pretty annoying and finally decided to get rid of it for the 10th time. The earlier 9 attempts included updating McAfee, Spybot and MalwareBytes and running a full system scan, none of which can detect the root cause of the problem.

This malware is pretty sneaky to begin with. It redirects links clicked on any website to its site stylene.net or bestwebnutfunblack.org. Earlier it was stylene.net, recently its changed to bestwebnutfunblack.org. The malware only redirects pages 50% of the time. The first time I click on a link, it redirects me. I close the window and try again, I get to my page. This was pretty annoying to work with on a daily basis.

This specific malware has some severe enmity to Google Docs though. When I try to open Google docs, it redirects 100% of the time, making it virtually impossible to open a Google Doc or Google Sheet, which I need the most on a daily basis for my work.

After trying desperately for so long, finally I figured out the potential culprit, thanks to my non-stop thinking about this malware: DNS Poisoning.

As per Wikipedia,
DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer).

The malware was redirecting my URLs to its URL.The fix that finally worked is to flush the DNS cache with a simple command on the command prompt (Windows Key + R).

ipconfig /flushdns

It gives the result as follows,



Poof. No more redirects. This doesn't fix the actual malware or find out where it resides in my system. But it enabled me to work without hindrance. Most probably, upon restart, the malware may posion the DNS cache again. But I have the command memorized now:  ipconfig /flushdns

There you go, a fix for the issue until the anti-virus and malware manufacturers figure out a way to fix this annoying redirection malware.

Update! (on 15-Mar-2015)

Finally found the root cause and fixed it! Used Kaspersky's free root kit removal utility (TDSSKiller) and removed about 6 potential threats. Got rid of the pesky redirection issue.

Make sure to run a full scan, selecting all checkboxes in the "Change Parameters" (Settings) page. Screenshot as below.

Kaspersky Rootkit Removal tool
Expect to restart multiple times for the tool to remove all threats. I chose to delete all threats in the report screen. Though I am not sure which among those 6 is the culprit, mHotSpot and PopCorn Time are one of them.