Tuesday, July 25, 2006

When Evil Lurks: The Solution to the SearchAtHand DNS Hi-jacking Problem

My computer's Domain Name Server (DNS) settings were hi-jacked by an unscrupulous Ukrainian firm called SearchAtHand. It took me awhile to discover a solution, so I wanted to post the solution here for anyone else that may have this trouble. It's taken me weeks to figure this out, and meanwhile SearchAtHand has been profiting by selling my search results to pay per click advertisers, and gathering all kinds of data on me.

I'm a fairly saavy internet user, so for SearchAtHand to by-pass my defenses and knowledge is darn sneaky. They've figured out a very effective way to hi-jack your browswer, by-pass your defenses, and frustrate internet users who would rather have default results returned by a more reputable search engine.

The symptoms:
For the past two weeks, I have not been able to log into certain websites that I frequent, including Statcounter.com and Alexa.com because of 403 errors. I've had to log into these sites using an alternate computer, which has been inconvenient to say the least. I tried re-setting my browser to its factory settings, but to no avail.

My first clue that my DNS settings had been pirated should have been when my "default search" settings in my browser started showing up as something called SearchAtHand.com.
Whenever I misspelled a domain name, SearchAtHand wanted to handle my search.

Weird things would also happen -- such as trying to get to a website, and being "routed" someplace else.

After anti-spyware scans (eTrust) and anti-virus scans (Windows Defender) turned up nothing, I started suspecting a trojan application. Searches on Google turned up very little about SearchAtHand.

Eventually I found what I needed with the help of MSN search (note to Google: you better start providing results that are more fresh: your stale results are regularly and frequently pushing me toward MSN, where the results are much more fresh. Google seems to be about 6 to 12 months behind MSN, but thats another blog).

On MSN, I came across this tutorial at Free Security Tools that tells me how to remove SearchAtHand's DNS Settings. I recommend it. It worked for me. I won't re-hash it here since they did a nice job with screenshots and everything else.

I have no idea how SearchAtHand got its claws into my computer. Somewhere, on some page, something misleading was downloaded, perhaps as an activeX control. I just don't know.

Watch out for Adware or spyware removal companies claim to be marketing a solution to this specific problem that don't work. The best way is to remove it yourself, for free. You shouldn't have to pay to fix what someone else has broken.

And as for you SearchAtHand, this will catch up with you eventually. Evil is as evil does (Forrest Gump).

-- UPDATE: XoftSpy anti-vir by Parreto Logic will now uninstall SearchAtHand. I verified this fact directly with their support dept. If for some reason your SAH variant is not removed, they will work with you directly to solve it. You can download it here. Let me know how it works!


3 comments:

Anonymous said...

The advice given by that link is good but this pest is wilier than that. In my own TCP/IP settings dialogue the DNS is set to automatic so that it goes to my ISP. SearchAtHand is still hijacking my web requests, though.

The freesecurity site gives the hijacker's DNS servers as 85.255.115.22 and 85.255.112.228. I did a RegEdit search for 85.225 and it located places in the registry where TCP/IP NameServer keys were set to these two servers.

(These occurred in My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ and My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\ but doing a search is more thorough.)

I changed the key from NameServer to Hijacked-NameServer but deleting would be equally effective and clear a bit of fluff out of the Registry's navel as well.

Scott said...

Wow, thanks for this!!! Nice catch!

I didn't find the first occurrence you referenced, but I did find the second occurrence. I deleted it without any apparent effect on my computer.

Geez, these guys are really evil.

Anonymous said...

Whew...I've got the search at hand crap and have tried just about all the free spyware/malware,trojan detecters and still have it. Unfortunately I've not competer savvy enough to even understand what you did in that last post.
Is there help for someone in my situation.
James