New tpye of browser / DNS hijack infection?

I seem to have found a new / yet-undocumented type of browser/OS hijacking.

This particular method aims to redirect all my searches (yahoo, msn, google, etc) to a page full of advertisements (see attachement). It started with my searches being hijacked in Internet Explorer. Downloaded and installed Firefox 3.x - same behavior, from first try. [so the infection mechanis for Firefox was inserted even before the browser was installed??]

Strange fact #1: It seems it is the actual Google, Yahoo or MSN page that my search query is sent from: the MSN page displays the same news items / cover stories as the Yahoo.com page seen on a clean computer.

Strange fact #2: However, when the search starts, the browser calls IP 7.7.7.0 !! (see picture) That doesn't seem to be a Google IP.
Strange fact #3: If I try a regular seach, my results are hijacked. If I try an advanced search, I get the proper results!

Strange fact #4: In the list of hijacked search results, only the link (URL) to the result is hijacked. The titles and descriptions of the search results are what they should be.

Spybot S&D, Ad-aware, Malware Bytes, found nothing. Combofix crashes. AVG Anti-Vir finds nothing.

The system32\drivers\etc\HOSTS file is clean. The network connection is set to DHCP IP, automatic DNS. System Restore can't load any of the old restore points.

How do I get rid of this thing / where is it installed?
Thanks,
R.
hijack-1.JPG
RoninoAsked:
Who is Participating?
 
IndiGenusCommented:
Nothing showing. Suspecting a rootkit here.....

Have you tried renaming combofix?? Let's do this...

First, delete the copy of combofix that you have now.

Next, download a fresh copy, but rename it to combo-fix.exe before downloading it. Or download it on another PC, rename it, and copy it over. Then try running it again.



0
 
IndiGenusCommented:
Hi,
Not such a new deal, maybe a new variant, but not new.

Post a Hijackthis log and that will get things started and help see what might be going on.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.



0
 
RoninoAuthor Commented:
This is it
hijackthis.log
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
rpggamergirlCommented:
It's not a new infection, but maybe a new variant, old variants are these files below, look for them and delete them if present, though MBAM should have detected sysaudio.sys if it was the one present.

Look for any of these FAKE files and delete them if present.(delete in Safe Mode if won't go easily)
C:\Windows\system32\wdmaud.sys <-- bad
C:\Windows\system32\sysaudio.sys <-- bad
c:\windows\system32\ntnet.drv <-- bad


Please do not delete the legit ones in the Drivers folder:
C:\Windows\system32\drivers\wdmaud.sys <-- legit one
C:\Windows\system32\drivers\sysaudio.sys <-- legit one
C:\Windows\system32\wdmaud.drv <-- legit file in system32 folder
0
 
rpggamergirlCommented:
Can you re-download Combofix and rename it before saving to your desktop and see if it runs.
0
 
RoninoAuthor Commented:
removing the 3 bad files, startup in Safe Mode, renaming then running Combo Fix - that did the trick

Thanks guys
0
 
IndiGenusCommented:
Post the cf log and we can review. There may be more that needs to be dealt with....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.