New tpye of browser / DNS hijack infection?

Posted on 2009-02-14
Last Modified: 2013-11-16
I seem to have found a new / yet-undocumented type of browser/OS hijacking.

This particular method aims to redirect all my searches (yahoo, msn, google, etc) to a page full of advertisements (see attachement). It started with my searches being hijacked in Internet Explorer. Downloaded and installed Firefox 3.x - same behavior, from first try. [so the infection mechanis for Firefox was inserted even before the browser was installed??]

Strange fact #1: It seems it is the actual Google, Yahoo or MSN page that my search query is sent from: the MSN page displays the same news items / cover stories as the page seen on a clean computer.

Strange fact #2: However, when the search starts, the browser calls IP !! (see picture) That doesn't seem to be a Google IP.
Strange fact #3: If I try a regular seach, my results are hijacked. If I try an advanced search, I get the proper results!

Strange fact #4: In the list of hijacked search results, only the link (URL) to the result is hijacked. The titles and descriptions of the search results are what they should be.

Spybot S&D, Ad-aware, Malware Bytes, found nothing. Combofix crashes. AVG Anti-Vir finds nothing.

The system32\drivers\etc\HOSTS file is clean. The network connection is set to DHCP IP, automatic DNS. System Restore can't load any of the old restore points.

How do I get rid of this thing / where is it installed?
Question by:Ronino
    LVL 20

    Expert Comment

    Not such a new deal, maybe a new variant, but not new.

    Post a Hijackthis log and that will get things started and help see what might be going on.

    Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

    Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.


    Author Comment

    This is it
    LVL 20

    Accepted Solution

    Nothing showing. Suspecting a rootkit here.....

    Have you tried renaming combofix?? Let's do this...

    First, delete the copy of combofix that you have now.

    Next, download a fresh copy, but rename it to combo-fix.exe before downloading it. Or download it on another PC, rename it, and copy it over. Then try running it again.

    LVL 47

    Assisted Solution

    It's not a new infection, but maybe a new variant, old variants are these files below, look for them and delete them if present, though MBAM should have detected sysaudio.sys if it was the one present.

    Look for any of these FAKE files and delete them if present.(delete in Safe Mode if won't go easily)
    C:\Windows\system32\wdmaud.sys <-- bad
    C:\Windows\system32\sysaudio.sys <-- bad
    c:\windows\system32\ntnet.drv <-- bad

    Please do not delete the legit ones in the Drivers folder:
    C:\Windows\system32\drivers\wdmaud.sys <-- legit one
    C:\Windows\system32\drivers\sysaudio.sys <-- legit one
    C:\Windows\system32\wdmaud.drv <-- legit file in system32 folder
    LVL 47

    Expert Comment

    Can you re-download Combofix and rename it before saving to your desktop and see if it runs.

    Author Comment

    removing the 3 bad files, startup in Safe Mode, renaming then running Combo Fix - that did the trick

    Thanks guys
    LVL 20

    Expert Comment

    Post the cf log and we can review. There may be more that needs to be dealt with....

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
    Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now