Go Premium for a chance to win a PS4. Enter to Win


Internal address redirected to a chinese web site?

Posted on 2009-05-14
Medium Priority
Last Modified: 2013-12-04
I have 1 system within a 50+ client network that when trying to connect to a internal web server it gets redirected to a chinese web page.  I have run combofix, malwarebytes and endpoint scans and they all come up clean.  When I reset IE7 back to defaults it was fine till I rebooted the pc.  Then it was back again.  I do not see anyting in the add/remove programs applet that has chinese languae packs or sanuthing out of the ordinary.  I do not see anything in the startup out fo the ordinary.  this is the only system affected and all of the systems access the internal address that I am trying to access.  The web address that it goes to is autosearch.gd.vnet.cn.  I have tried and got the same results using firefox.  I have attached a highjackthis log.  Any suggestions will be appreciated.      
Question by:Grognor
  • 3

Accepted Solution

bleech677 earned 2000 total points
ID: 24388716
First thing I see is this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F478981-B633-4BBC-9D81-ECF6EE52460E}: NameServer =,
the last IP routes back to china

Expert Comment

ID: 24388821
You can google how to fix a browser hiijack.

What I would suggest is to get a AV scan with boot time like Avast and run a boot time scan - this way it will kill the virus/rouge app outside of windows - that way it won't be able to reload and persist

Try to wipe that key out of your registry. Install something like spybot or malwarebytes and do a scan.

Author Closing Comment

ID: 31581613
Wow, that was it.  I looked at it funny when I was checking the networking info.  I thought that maybe it was a good DNS server address since it was manually configured.  Now I just need to try to find out how it was changed.  Thanks for your help!!

Expert Comment

ID: 24389150
Good the hear that cleared things up - glad to help

As for how it got there...
Most of the time these come from "Adult sites", then there are hijacked sites - a few months ago there was an exploit that infected web servers that used inline sql - a sql injection expliot was used to inject javascript into thier web pages whcih would redirect user's browsers to install malware from chinese servers.

How to avoid situations like this? Make sure you have the latest windows updates installed - there are a buch out in the past few days for office and IE. Advise your users not to click on everything that pops up.


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question