We help IT Professionals succeed at work.

New tpye of browser / DNS hijack infection?

Medium Priority
1,733 Views
Last Modified: 2013-11-16
I seem to have found a new / yet-undocumented type of browser/OS hijacking.

This particular method aims to redirect all my searches (yahoo, msn, google, etc) to a page full of advertisements (see attachement). It started with my searches being hijacked in Internet Explorer. Downloaded and installed Firefox 3.x - same behavior, from first try. [so the infection mechanis for Firefox was inserted even before the browser was installed??]

Strange fact #1: It seems it is the actual Google, Yahoo or MSN page that my search query is sent from: the MSN page displays the same news items / cover stories as the Yahoo.com page seen on a clean computer.

Strange fact #2: However, when the search starts, the browser calls IP 7.7.7.0 !! (see picture) That doesn't seem to be a Google IP.
Strange fact #3: If I try a regular seach, my results are hijacked. If I try an advanced search, I get the proper results!

Strange fact #4: In the list of hijacked search results, only the link (URL) to the result is hijacked. The titles and descriptions of the search results are what they should be.

Spybot S&D, Ad-aware, Malware Bytes, found nothing. Combofix crashes. AVG Anti-Vir finds nothing.

The system32\drivers\etc\HOSTS file is clean. The network connection is set to DHCP IP, automatic DNS. System Restore can't load any of the old restore points.

How do I get rid of this thing / where is it installed?
Thanks,
R.
hijack-1.JPG
Comment
Watch Question

Top Expert 2007

Commented:
Hi,
Not such a new deal, maybe a new variant, but not new.

Post a Hijackthis log and that will get things started and help see what might be going on.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.



Author

Commented:
This is it
hijackthis.log
Top Expert 2007
Commented:
Nothing showing. Suspecting a rootkit here.....

Have you tried renaming combofix?? Let's do this...

First, delete the copy of combofix that you have now.

Next, download a fresh copy, but rename it to combo-fix.exe before downloading it. Or download it on another PC, rename it, and copy it over. Then try running it again.



Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Top Expert 2007
Commented:
It's not a new infection, but maybe a new variant, old variants are these files below, look for them and delete them if present, though MBAM should have detected sysaudio.sys if it was the one present.

Look for any of these FAKE files and delete them if present.(delete in Safe Mode if won't go easily)
C:\Windows\system32\wdmaud.sys <-- bad
C:\Windows\system32\sysaudio.sys <-- bad
c:\windows\system32\ntnet.drv <-- bad


Please do not delete the legit ones in the Drivers folder:
C:\Windows\system32\drivers\wdmaud.sys <-- legit one
C:\Windows\system32\drivers\sysaudio.sys <-- legit one
C:\Windows\system32\wdmaud.drv <-- legit file in system32 folder
CERTIFIED EXPERT
Top Expert 2007

Commented:
Can you re-download Combofix and rename it before saving to your desktop and see if it runs.

Author

Commented:
removing the 3 bad files, startup in Safe Mode, renaming then running Combo Fix - that did the trick

Thanks guys
Top Expert 2007

Commented:
Post the cf log and we can review. There may be more that needs to be dealt with....
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.