Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Internal address redirected to a chinese web site?

Posted on 2009-05-14
Medium Priority
Last Modified: 2013-12-04
I have 1 system within a 50+ client network that when trying to connect to a internal web server it gets redirected to a chinese web page.  I have run combofix, malwarebytes and endpoint scans and they all come up clean.  When I reset IE7 back to defaults it was fine till I rebooted the pc.  Then it was back again.  I do not see anyting in the add/remove programs applet that has chinese languae packs or sanuthing out of the ordinary.  I do not see anything in the startup out fo the ordinary.  this is the only system affected and all of the systems access the internal address that I am trying to access.  The web address that it goes to is  I have tried and got the same results using firefox.  I have attached a highjackthis log.  Any suggestions will be appreciated.      
Question by:Grognor
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

bleech677 earned 2000 total points
ID: 24388716
First thing I see is this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F478981-B633-4BBC-9D81-ECF6EE52460E}: NameServer =,
the last IP routes back to china

Expert Comment

ID: 24388821
You can google how to fix a browser hiijack.

What I would suggest is to get a AV scan with boot time like Avast and run a boot time scan - this way it will kill the virus/rouge app outside of windows - that way it won't be able to reload and persist

Try to wipe that key out of your registry. Install something like spybot or malwarebytes and do a scan.

Author Closing Comment

ID: 31581613
Wow, that was it.  I looked at it funny when I was checking the networking info.  I thought that maybe it was a good DNS server address since it was manually configured.  Now I just need to try to find out how it was changed.  Thanks for your help!!

Expert Comment

ID: 24389150
Good the hear that cleared things up - glad to help

As for how it got there...
Most of the time these come from "Adult sites", then there are hijacked sites - a few months ago there was an exploit that infected web servers that used inline sql - a sql injection expliot was used to inject javascript into thier web pages whcih would redirect user's browsers to install malware from chinese servers.

How to avoid situations like this? Make sure you have the latest windows updates installed - there are a buch out in the past few days for office and IE. Advise your users not to click on everything that pops up.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question