Jump to content

Removing searchguide.level3.com


Recommended Posts

Somehow my browser default search for unknown domains has been highjacked by searchguide.level3.com. 

 

I have run a Threat Scan (report attached) and it came back clear. I've tried everything I've found on the web and still can't remove it. I don't see anything in installed apps, I've reset my browser defaults, cleared cookies, etc.

 

Thanks for the help.

 

 

David999-scan-20181228.txt

Link to post
Share on other sites

This is not malicious activity and can be construed as normal.

This may happen based upon if you are using a Level-3 DNS Server.  I use former GTE DNS servers  [ 14.2.2.1, 4.2.2.2, etc ] which are now part of Level-3.  If you visit a recently poisoned Domain you may get a web page of searchguide.level3.com  showing topics relevant to the Domain name in which you tried to visit.

** Again, this is not malicious activity and this can be considered normal as long as you are using Level-3 DNS Servers.


1.  The former GTE DNS Servers are used because they are very fast Public DNS Servers.

NetRange:       4.0.0.0 - 4.255.255.255
CIDR:           4.0.0.0/8
NetName:        LVLT-ORG-4-8
NetHandle:      NET-4-0-0-0-1
Parent:          ()
NetType:        Direct Allocation
OriginAS:       
Organization:   Level 3 Parent, LLC (LPL-141)
RegDate:        1992-12-01
Updated:        2018-02-20
Ref:            https://rdap.arin.net/registry/ip/4.0.0.0

 

Edited by David H. Lipman
Link to post
Share on other sites

That's the issue. I'm not using Level3 servers. I'm behind a DHCP server and none of my other computers/smartphones/etc exhibit the same behavior. And, prior to installing 7-Zip to unpack a GZ file, I wasn't getting this search page. I'm not saying 7-Zip is to blame but it did happen at the same time.

Link to post
Share on other sites

Here's output from ipconfig

 

Quote

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dplittle-Atl-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : F8-BC-12-8E-86-5D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8571:d50b:5cfa:2233%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.2.69(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, November 28, 2018 6:31:41 PM
   Lease Expires . . . . . . . . . . : Thursday, November 29, 2018 12:46:24 PM
   Default Gateway . . . . . . . . . : 10.0.2.1
   DHCP Server . . . . . . . . . . . : 10.0.2.1
   DHCPv6 IAID . . . . . . . . . . . : 251182098
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-A9-72-3C-F8-BC-12-8E-86-5D
   DNS Servers . . . . . . . . . . . : 10.0.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

 

Since I'm getting my DNS through my router wouldn't ALL my devices behind that router get the same servers? Since that isn't the case it has to localized to my one machine and was not set up specifically (ergo, malware).

Link to post
Share on other sites

You may be behind a SOHO Router that uses DNS forwarding.  That is the Router will get DNS Servers from the ISP.  The LAN nodes get an IP from the Router which includes the DNS Servers.  If said Router does DNS Forwarding then the DNS Server IP will be the same IP as the Gateway.  From the IPconfig dump that you provided that is the case.  The DHCP server is the Gateway and the Gateway performs DNS Forwarding so the DNS IP is that of the Gateway. 

In your case 10.0.2.1

 

 

Link to post
Share on other sites

And here is a little more information ... prior to closing Chrome down after the infection, only my main window went to searchguide.level3.com. I had an Incognito window open too for testing and it went to Google as normal. After resetting Chrome both the main and Incognito windows went to searchguide.level3.com.

 

Just another indicator to me that it is not being driven by the router's DNS but something on this one PC.

Link to post
Share on other sites

Yes.  Presumably they would relatively get the same type of DHCP response but it depends of the ClassID and Options provided in the DHCP Packet.  However, that does not mean all devices, OS' and browsers act the same way based upon the query and the User-Agent provided by said query.

** Again, this is not malicious activity and this can be considered normal as long as you are using Level-3 DNS Servers.  There is nothing nefarious going on here.

Link to post
Share on other sites

Go to;  http://searchguide.level3.com/

Reference:  http://searchguide.level3.com/#faq-modal

Quote

Why Am I Here?

The Level3 Search Guide has been enabled to provide helpful searches from web address errors. You entered an unknown or non-existent domain name which the service used in order to present site suggestions which you may find useful. Clicking any of these suggestions provides you with Yahoo! search results, which may include relevant sponsored links.

Image.thumb.jpg.f101a7966c1e44a13ca8f06ac93ebd87.jpg

In the Above - Choose;  Settings

-------------

In the below Choose;  Off

Choose;  Save

Image.thumb.jpg.d4770ec7c525209505925c0205a6b905.jpg

Edited by David H. Lipman
Link to post
Share on other sites

I wish I could. When I try to go to the site directly the URL becomes ....

 

Quote

http://searchguide.level3.com/search/?q=http%3A//searchguide.level3.com/search/%3Fq%3Dhttp%3A//searchguide.level3.com/search/%3Fq%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/search/%2525252525253Fq%2525252525253Dhttp%252525252525253A//searchguide.level3.com/%25252525252526r%2525252525253D%25252525252526t%2525252525253D0%252525252526r%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526t%252525253D0%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526t%25253D0%2526t%253D0%26r%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526t%25253D0%2526t%253D0%26t%3D0%26r%3Dhttp%3A//searchguide.level3.com/search/%3Fq%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526t%25253D0%2526t%253D0%26r%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/%252526t%25253D0%2526t%253D0%26t%3D0%26t%3D0&r=http%3A//searchguide.level3.com/search/%3Fq%3Dhttp%3A//searchguide.level3.com/search/%3Fq%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/search/%25252525253Fq%25252525253Dhttp%2525252525253A//searchguide.level3.com/%252525252526r%25252525253D%252525252526t%25252525253D0%2525252526r%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526t%25253D0%2526t%253D0%26r%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/%252526t%25253D0%2526t%253D0%26t%3D0%26r%3Dhttp%3A//searchguide.level3.com/search/%3Fq%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/search/%252525253Fq%252525253Dhttp%25252525253A//searchguide.level3.com/%2525252526r%252525253D%2525252526t%252525253D0%25252526r%2525253Dhttp%252525253A//searchguide.level3.com/%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/%252526t%25253D0%2526t%253D0%26r%3Dhttp%253A//searchguide.level3.com/search/%253Fq%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/search/%2525253Fq%2525253Dhttp%252525253A//searchguide.level3.com/%25252526r%2525253D%25252526t%2525253D0%252526r%25253Dhttp%2525253A//searchguide.level3.com/%252526t%25253D0%2526r%253Dhttp%25253A//searchguide.level3.com/search/%25253Fq%25253Dhttp%2525253A//searchguide.level3.com/%252526r%25253D%252526t%25253D0%2526t%253D0%26t%3D0%26t%3D0&t=0

 

And then the page shows ...

 

Quote

Bad Request

Your browser sent a request that this server could not understand.

Reference #7.1fb54917.1543518350.0

 

Link to post
Share on other sites

You can place searchguide.level3.com in the etc/hosts file

0.0.0.0   searchguide.level3.com

Or you can replace the DHCP Servers on the Router with static public DNS servers such as from Google8.8.8.8  and   8.8.4.4

This is how it appears on my ActionTec Router.  it shows 8.8.8.8 and  4.2.2.3  because I use both but you can just set them to the above Google DNS Servers and override what the Router gets from the ISP with your own settings.

Image.jpg.79987746a8548c8cdb9bd166427a717c.jpg

 

Edited by David H. Lipman
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.