[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1708
  • Last Modified:

New tpye of browser / DNS hijack infection?

I seem to have found a new / yet-undocumented type of browser/OS hijacking.

This particular method aims to redirect all my searches (yahoo, msn, google, etc) to a page full of advertisements (see attachement). It started with my searches being hijacked in Internet Explorer. Downloaded and installed Firefox 3.x - same behavior, from first try. [so the infection mechanis for Firefox was inserted even before the browser was installed??]

Strange fact #1: It seems it is the actual Google, Yahoo or MSN page that my search query is sent from: the MSN page displays the same news items / cover stories as the Yahoo.com page seen on a clean computer.

Strange fact #2: However, when the search starts, the browser calls IP !! (see picture) That doesn't seem to be a Google IP.
Strange fact #3: If I try a regular seach, my results are hijacked. If I try an advanced search, I get the proper results!

Strange fact #4: In the list of hijacked search results, only the link (URL) to the result is hijacked. The titles and descriptions of the search results are what they should be.

Spybot S&D, Ad-aware, Malware Bytes, found nothing. Combofix crashes. AVG Anti-Vir finds nothing.

The system32\drivers\etc\HOSTS file is clean. The network connection is set to DHCP IP, automatic DNS. System Restore can't load any of the old restore points.

How do I get rid of this thing / where is it installed?
  • 3
  • 2
  • 2
2 Solutions
Not such a new deal, maybe a new variant, but not new.

Post a Hijackthis log and that will get things started and help see what might be going on.

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

RoninoAuthor Commented:
This is it
Nothing showing. Suspecting a rootkit here.....

Have you tried renaming combofix?? Let's do this...

First, delete the copy of combofix that you have now.

Next, download a fresh copy, but rename it to combo-fix.exe before downloading it. Or download it on another PC, rename it, and copy it over. Then try running it again.

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

It's not a new infection, but maybe a new variant, old variants are these files below, look for them and delete them if present, though MBAM should have detected sysaudio.sys if it was the one present.

Look for any of these FAKE files and delete them if present.(delete in Safe Mode if won't go easily)
C:\Windows\system32\wdmaud.sys <-- bad
C:\Windows\system32\sysaudio.sys <-- bad
c:\windows\system32\ntnet.drv <-- bad

Please do not delete the legit ones in the Drivers folder:
C:\Windows\system32\drivers\wdmaud.sys <-- legit one
C:\Windows\system32\drivers\sysaudio.sys <-- legit one
C:\Windows\system32\wdmaud.drv <-- legit file in system32 folder
Can you re-download Combofix and rename it before saving to your desktop and see if it runs.
RoninoAuthor Commented:
removing the 3 bad files, startup in Safe Mode, renaming then running Combo Fix - that did the trick

Thanks guys
Post the cf log and we can review. There may be more that needs to be dealt with....

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now