• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

Internal address redirected to a chinese web site?

I have 1 system within a 50+ client network that when trying to connect to a internal web server it gets redirected to a chinese web page.  I have run combofix, malwarebytes and endpoint scans and they all come up clean.  When I reset IE7 back to defaults it was fine till I rebooted the pc.  Then it was back again.  I do not see anyting in the add/remove programs applet that has chinese languae packs or sanuthing out of the ordinary.  I do not see anything in the startup out fo the ordinary.  this is the only system affected and all of the systems access the internal address that I am trying to access.  The web address that it goes to is autosearch.gd.vnet.cn.  I have tried and got the same results using firefox.  I have attached a highjackthis log.  Any suggestions will be appreciated.      
  • 3
1 Solution
First thing I see is this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F478981-B633-4BBC-9D81-ECF6EE52460E}: NameServer =,
the last IP routes back to china
You can google how to fix a browser hiijack.

What I would suggest is to get a AV scan with boot time like Avast and run a boot time scan - this way it will kill the virus/rouge app outside of windows - that way it won't be able to reload and persist

Try to wipe that key out of your registry. Install something like spybot or malwarebytes and do a scan.
GrognorAuthor Commented:
Wow, that was it.  I looked at it funny when I was checking the networking info.  I thought that maybe it was a good DNS server address since it was manually configured.  Now I just need to try to find out how it was changed.  Thanks for your help!!
Good the hear that cleared things up - glad to help

As for how it got there...
Most of the time these come from "Adult sites", then there are hijacked sites - a few months ago there was an exploit that infected web servers that used inline sql - a sql injection expliot was used to inject javascript into thier web pages whcih would redirect user's browsers to install malware from chinese servers.

How to avoid situations like this? Make sure you have the latest windows updates installed - there are a buch out in the past few days for office and IE. Advise your users not to click on everything that pops up.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now