Internal address redirected to a chinese web site?

Posted on 2009-05-14
Last Modified: 2013-12-04
I have 1 system within a 50+ client network that when trying to connect to a internal web server it gets redirected to a chinese web page.  I have run combofix, malwarebytes and endpoint scans and they all come up clean.  When I reset IE7 back to defaults it was fine till I rebooted the pc.  Then it was back again.  I do not see anyting in the add/remove programs applet that has chinese languae packs or sanuthing out of the ordinary.  I do not see anything in the startup out fo the ordinary.  this is the only system affected and all of the systems access the internal address that I am trying to access.  The web address that it goes to is  I have tried and got the same results using firefox.  I have attached a highjackthis log.  Any suggestions will be appreciated.      
Question by:Grognor
  • 3

Accepted Solution

bleech677 earned 500 total points
ID: 24388716
First thing I see is this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F478981-B633-4BBC-9D81-ECF6EE52460E}: NameServer =,
the last IP routes back to china

Expert Comment

ID: 24388821
You can google how to fix a browser hiijack.

What I would suggest is to get a AV scan with boot time like Avast and run a boot time scan - this way it will kill the virus/rouge app outside of windows - that way it won't be able to reload and persist

Try to wipe that key out of your registry. Install something like spybot or malwarebytes and do a scan.

Author Closing Comment

ID: 31581613
Wow, that was it.  I looked at it funny when I was checking the networking info.  I thought that maybe it was a good DNS server address since it was manually configured.  Now I just need to try to find out how it was changed.  Thanks for your help!!

Expert Comment

ID: 24389150
Good the hear that cleared things up - glad to help

As for how it got there...
Most of the time these come from "Adult sites", then there are hijacked sites - a few months ago there was an exploit that infected web servers that used inline sql - a sql injection expliot was used to inject javascript into thier web pages whcih would redirect user's browsers to install malware from chinese servers.

How to avoid situations like this? Make sure you have the latest windows updates installed - there are a buch out in the past few days for office and IE. Advise your users not to click on everything that pops up.


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now