Filter or script against yahoo "hsrd" redirect

[Totoab57]

When I chose http:// http://www.yahoo.com as home page, and it automatically transfers me within Firefox 42 to the "https" page, but then all the news feed on that page have the prefix "hsrd" before yahoo.com as in: hsrd.yahoo.com/..........html. Have you heard of any method with ABP to block that redirect that is described in some blogs as a malware that takes over sites with http or https://www.yahoo.com. Can I block that redirect with a script or can you guide me to the proper script? It seems that generic anti-malware softwares do not remove it easily because it is difficult to locate once established in the system. I am using a Mac with OX S v 10.6.8. Your help would be greatly appreciated.Totoab57

[mapx]

scan your system (even if mac) for malware
http://malwaretips.com/blogs/remove-mac-os-x-virus/

reset also your hosts file
https://discussions.apple.com/thread/3302665?tstart=0

[Totoab57]

Hi mapx,

I did go to both links and I found 1) that the "hsrd" prefix is a Browser hijacker/adware but that cannot be removed with the traditional Malwarebyte anti-malware. 2)Those people are trying to sell the pro-version. My concern is that they mostly discuss restoring the Host file on the second link provided. You told me to reset it. What does that mean exactly "resetting"? Because their is a script on that second link, but it is not clear to me what exactly happens when I am resetting the host file, and mostly how that will remove a malware. Could you please explain it briefly or direct me to a link that will provide me with the needed explanations. I thank you for your help. Totoab57

[lewisje]

I'll just copy from that support thread, regarding the HOSTS file (a text file which is used to hard-code mappings between domains and IP addresses, a legacy from the earliest days of the Internet that has mostly been supplanted by DNS).

Select below and copy, select all in your /private/etc/hosts and paste, save with the admin password. Reboot.

Next time, make a copy of the file before messing with it.

Code: Select all

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1    localhost
255.255.255.255    broadcasthost
::1             localhost
fe80::1%lo0    localhost

Extra note:

If your attempting to block domains using the hosts file, you need to keep the new entries BELOW what you see above and use 0.0.0.0 instead of 127.0.0.1 like what is used on Windows (127.0.0.1 causes issues in OS X)

so for instance to block Facebook.com

0.0.0.0 http://www.facebook.com

# symbol "comments out" a line, tellling the computer to ignore this line

This is not a script, it is the stuff you need to replace your HOSTS file with; it's not code that runs, it's data that the OS looks up.

What will happen is that the HOSTS file will no longer have any special hard-coded rules for which IP addresses correspond to different domains, and instead your system will rely on DNS.

Anyway, this usage of hsrd.yahoo.com is not itself a hijacker, but it's a symptom of a hijacker; once you've gotten rid of browser hijackers with MalwareBytes, then you restore your HOSTS file and also make sure to change your homepage back to what you wanted.

Also, there is nothing significant in MalwareBytes Pro that is not in MalwareBytes Free (the insignificant things include an error-prone malicious-site blocker, and a scheduler even though you normally only run this program as a one-off); ignore the upgrade offers.

[Totoab57]

Hi Lewisje,

I thank you for your reply. There are still things that I do not understand, after going to that link. Hence those questions:

1)where do I find the Host file?

2) what are the commands to locate that file?

3 )Should I start with making a copy of the current Host file and save it to my desktop before messing with that file? Do I need to back-up my computer as it is suggested?

4)If I copy and paste these "lines", am I creating a new Host file, ie., without saving the old one? Am I updating the current file? How does that take care of the malware or why is that maneuver recommended?

5) If you say that the redirecting to hsrd.yahoo.com is not the hijacker but just a symptom of the hijacker, which i understnd, I have read in many blogs that the MalwareBytes has not been able to detect and remove that malware. So, do I need to find an effective anti-malware , i.e., to take care of the removal of that malware doing the redirecting, as a first step, before doing the copy/paste of those lines? Do you have a suggestion about that kind of anti-malware? I ran already McAfee Security suite and it found nothing! ? False negative?

6) I am quite "green" and I do not understand what "hard-code mappings between domains and IP addresses" means? What are the risk of my trying to modify or reset the Host file in light of my lack of knowledge?
I am grateful for your help. Totoab57

[Totoab57]

Hi Lewisje,
I forgot to tell you that this malware is only directing www.yahoo.com (http or https) if you use it as home page under Firefox/ Preference/ General. While the page opens, but all the news feed that appear on the home page https.www.yahoo.com have the prefix "hsrd". So far, I've bypassed it by choosing "news.yahoo.com" as my home page, and all the news feeds (identical to the hsrd pages) appear correctly under https://news.yahoo.com! I don't know if that additional info will help you understanding the narure of my problem. However, it remains evident that I should try to remove that malware! Totoab

[Totoab57]

Hi Gingerbread, Mapx or anyone else: I have a Mac with OS X 10.6.8 and Firefox 42.

when I attempted to look at my Hosts file on my Mac, to assess whether it had been changed, using first the following command:
"more/etc/hosts" without the quote marks......I got the following reply: No such file or directory
Trying a different command:
/private/etc/hosts......I got the following reply: Permission not granted.
So what should I do? Any help will be greatly appreciated.

Thanks, Totoab57

[lewisje]

1)where do I find the Host file?

2) what are the commands to locate that file?

1) /private/etc/hosts
2) Open Terminal and type cd /private/etc/ and press Return, then ls and Return will show you a file called "hosts" in that directory, with no file extension

3 )Should I start with making a copy of the current Host file and save it to my desktop before messing with that file? Do I need to back-up my computer as it is suggested?

It's called a "hosts file" because its filename ends with an s; anyway, it's probably easier to copy that file to your desktop, work on that copy, then move it back to its original location, overwriting the original hosts file (you will need the admin password at some point, no matter how you edit the hosts file). You probably don't need to backup your computer for this operation, but it's standard advice before changing any part of a computer's configuration.

The original support post was about someone who had intentionally made changes to the hosts file other than resetting it to default; you don't need to make a backup of your malware-tampered hosts file.

Also, that post recommended TextWrangler because unlike with TextEdit, you know you'll be editing in plaintext. (TextEdit is similar to WordPad for Windows: It usually makes rich text files, and it can make plain text files, but you need to change a particular setting to do that. Old Macs came with a dedicated text editor called SimpleText that was like Notepad, but Macs released in the past decade don't have that, but at least TextWrangler is free and well renowned in the Mac community.)

4)If I copy and paste these "lines", am I creating a new Host file, ie., without saving the old one? Am I updating the current file? How does that take care of the malware or why is that maneuver recommended?

They're literal lines of text, not the type of "lines" that are really something else but only euphemistically or simplistically referred to as lines; anyway, you are indeed overwriting the hosts file, so that none of the hosts file you started with remains. It takes care of the effects of the malware by removing some of the incorrect mappings between domains and IP addresses that the malware likely put in the hosts file.

5) If you say that the redirecting to hsrd.yahoo.com is not the hijacker but just a symptom of the hijacker, which i understnd, I have read in many blogs that the MalwareBytes has not been able to detect and remove that malware. So, do I need to find an effective anti-malware , i.e., to take care of the removal of that malware doing the redirecting, as a first step, before doing the copy/paste of those lines? Do you have a suggestion about that kind of anti-malware? I ran already McAfee Security suite and it found nothing! ? False negative?

Maybe you already got rid of the hijacker by other means, or whatever program did the hijacking wasn't persistent; I don't have good knowledge of the full range of anti-malware software but I've heard good things about the free Sophos Anti-Virus for Mac. Regardless, one thing you could try is editing the hosts file to a clean state, waiting a while, then seeing whether the hosts file still looks clean.

6) I am quite "green" and I do not understand what "hard-code mappings between domains and IP addresses" means? What are the risk of my trying to modify or reset the Host file in light of my lack of knowledge?
I am grateful for your help. Totoab57

It means to set up, in a way that does not automatically change, the IP address that your computer will try to connect to when you try to go to a particular domain. Domain names are useful because humans can remember them, but computers need the IP addresses to actually make connections. In the old days, this was managed with a file called HOSTS.TXT that was kept on a particular server and downloaded to each of the few computers that were on the Internet in the 1970s. Later on, a system called the Domain Name System (DNS) was made so that the management of domain names could be more scalable, and now computers make requests to DNS servers when they want to find the IP addresses behind domain names (that is, "resolving" them); these mappings are usually held for a while in what is known as a DNS cache, but still, at some point, the mappings will change without any settings changing on your computer. The hosts file lives on for legacy reasons, and mappings inside that file will only change if you or some program on your computer changes them; that is, they are hard-coded.

With that said, there is no risk to resetting your hosts file to the default; if you had any special reason to set up domain-to-IP mappings in that file, you would have remembered them, and everything else the hosts file once did is now done by DNS.

[Totoab57]

Thanks Lewis for the clear explications. I was able to take a look at my Hosts file in Terminal and it is exactly like it is shown on your thread, i.e., as it is supposed to be. I assume that it hasn't been modified. I didn't do any changes. I have since read on a Google search article that the URL hsrd.yahoo.com, which is attached before all the news feeds appearing under https://www.yahoo.com, interestingly, belongs to yahoo and another hsrd" site in UK. No explanations were provided as to the reasons for such redirect, but its IP number is different from that of www.yahoo.com, which I pinged in Terminal. As for the DNS server, one of the links was directing the reader to a company that provides and sells security through setting a server between their clients and applying various filters before connecting requests to the proper server/IP. I have learned a bit more about my computer with all my readings, and it makes me feel very humble in light of all the things that I do not understand or I do not know. I thank you! Totoab