Internal address redirected to a chinese web site?

Posted on 2009-05-14
Last Modified: 2013-12-04
I have 1 system within a 50+ client network that when trying to connect to a internal web server it gets redirected to a chinese web page.  I have run combofix, malwarebytes and endpoint scans and they all come up clean.  When I reset IE7 back to defaults it was fine till I rebooted the pc.  Then it was back again.  I do not see anyting in the add/remove programs applet that has chinese languae packs or sanuthing out of the ordinary.  I do not see anything in the startup out fo the ordinary.  this is the only system affected and all of the systems access the internal address that I am trying to access.  The web address that it goes to is  I have tried and got the same results using firefox.  I have attached a highjackthis log.  Any suggestions will be appreciated.      
Question by:Grognor
  • 3

Accepted Solution

bleech677 earned 500 total points
ID: 24388716
First thing I see is this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F478981-B633-4BBC-9D81-ECF6EE52460E}: NameServer =,
the last IP routes back to china

Expert Comment

ID: 24388821
You can google how to fix a browser hiijack.

What I would suggest is to get a AV scan with boot time like Avast and run a boot time scan - this way it will kill the virus/rouge app outside of windows - that way it won't be able to reload and persist

Try to wipe that key out of your registry. Install something like spybot or malwarebytes and do a scan.

Author Closing Comment

ID: 31581613
Wow, that was it.  I looked at it funny when I was checking the networking info.  I thought that maybe it was a good DNS server address since it was manually configured.  Now I just need to try to find out how it was changed.  Thanks for your help!!

Expert Comment

ID: 24389150
Good the hear that cleared things up - glad to help

As for how it got there...
Most of the time these come from "Adult sites", then there are hijacked sites - a few months ago there was an exploit that infected web servers that used inline sql - a sql injection expliot was used to inject javascript into thier web pages whcih would redirect user's browsers to install malware from chinese servers.

How to avoid situations like this? Make sure you have the latest windows updates installed - there are a buch out in the past few days for office and IE. Advise your users not to click on everything that pops up.


Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now