First, a bit of background on myself before you assume anything about me. I have worked in computer repair and spyware removal for about 10 years now. I'm normally very good at rooting out everything. My chosen tools are spybot, hijackthis, regedit, and good ol' fashioned cmd. I have never run across a problem with these tools that I could not ferret out.

Until now.

I have been struggling for the last 2 weeks with some form of hijacker that periodically sends me to an advertising website: delivery.jemacpv.com. Apparently this software/hack is trying to make money off of me. Well I won't have it, and have already added this as an override to my hosts file. If you can't remove the heart, cut off their huevos.

Now, all hijackthis logs show absolutely nothing out of the ordinary. Spybot S&D shows nothing at all except the standard tracking cookies. Rkill.com comes up empty. Procmon... well let's just say that even after swimming through all the data that I could track from iexplore.exe, nothing seems amiss. As far as the computer is concerned, I asked to go to the website. I haven't installed any software recently and if any was installed unknowningly it left seemingly no trace. The only thing I can think of is that somehow someone is spoofing my DNS.

I would suggest that spybot update their innoculations to add delivery.jemacpv.com to their list of blocked sites. There is nothing redeming about the site, and it is only seemingly an advertising portal. And not even the decent kind of advertising, but the "You Have Won!" and "Work From Home!" popup type. Most unsavory.

I realize this is my one and only post on this forum, so I may not be trusted or be posting this in the wrong area, but rest assured when I tell you there is something out there that is confounding even me, and the only thing that I have found to do is to block it in my hosts file. It's still in there somewhere, but now I get a 404 instead of Popup Ads. At least the hijacker is no longer making money off me.

Quick update, the hijack just changed tack to redirect me to pops.lightningseek.com

It seems that my DNS theory was correct.

If you're reading this, up yours (not you, spybot forums)

And another one.

pops.therainbowsearch.com

It is sort of over my head but I wonder if there is such a thing as a hijack or redirect that messes with the function of the router or DSL box if you have one? In other words malware in your router instead of your computer?

Hello Jeoshua,

In order to directly examine the threat, this topic being posted in "Requests for additions to Spybot's detections", our detectives will need the file itself. If you can find any suspicious files please zip or rar them and send to: detections(at)spybot.info (Replace AT with @)

Thanks. :)

If this is your personal computer and you would like someone to take a look at the system please start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise when available.

First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS logs, which are the logs used for first contact analysis, not HJT.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Best regards.

That's actually the issue here. I can't find it at all. I prefaced my point by saying I'm actually normally fairly good at this and actually do it for a living.

And yet, it seems there is nothing wrong with my computer at all, but these popups keep happening.

I haven't just been relying on Spybot for this. I've used Ad-aware, HijackThis, Norton, and about 20 hours total of looking over various registry settings and folders. Nothing is there.

As to Mr Wakefield.

No, it doesn't install software on your router or anything. It's hard to describe, but what seems to be happening is that my computer sends out the DNS request to see what IP corresponts to a website (let's say www.google.com).

From my perspective: The signal goes out towards the DNS. The "DNS" seems to respond, telling my browser the IP it needs to access. However, once accessed, this IP turns out to be false, and is really just an ad website.

I'm not sure of the exact how-to of it, but some 3rd party has taken over the functions of my DNS, periodically telling me that what I thought was "www.google.com" is actually not, and gives me the address for "pops.rainbowfind.com" or what have you.

In the past few days, the list of sites I was being sent to went from 1 site to about 30. They're all variations on each other.

pops.rainbowseek.com
pops.therainbowfind.com
pops.blueseek.com
pops.redseek.com
pops.greenfind.com
pops.mygreenfind.com
pops.mygreen-search.com

And so forth and so on, ad nauseum.

I don't have a live sample of any malware here because, as best as I can determine, this is not local on my computer. Honestly I didn't place this "request" in this area of the forums, myself. A moderator moved it here. I fully realize that this is not a request for detection of a specific malware threat. Really, what I was trying to do, is make a request for specific ad-blocking to be added in to the "Immunization" area.

Have you considered checking your proxy or DNS settings? One of the two could have been changed, and indeed if what you describe about your "DNS" is accurate, it is possible that malware has changed your primary and secondary DNS servers to a pair controlled by a hijacker.

If you haven't set up something special on your router, try using the DNS servers from Comodo Secure DNS, and if you have (like setting the router's DNS settings to that, and also setting up ad-blocking at the router level), just set your computer to automatically get DNS settings.

As for the system proxy settings, in Internet Options you should probably change it to "Direct Connection" unless your ISP demands something else, while for Firefox, Opera, and all other browsers, change your proxy settings to "system proxy settings"

I give this advice only because it doesn't look like you said that you've already looked there.

Just chiming in to add that the same thing is happening to me, so you're not alone. I've added the domain to my hosts file just now, but I am no closer to finding the root of the problem either.

I was also infected with an undetectable hijacker/DNS malware. The issues were after a small round of infection on my Windows 7 x64 SP1 system.

I am an IT pro with over 17 years experience and have used SpybotSD before sasser and mydoom broke loose. Its always been a great tool, i would swear by the Spybots immunization on any build i do for clients (Although I forgot my media pc...)

I have three media pc's, xp, vista and win 7. Two laptops. Four other old pc's i probably should tombstone. And two always on Virtual machines. However only the one that I didnt have Spybot (and malwarebtyes -sorry i use both, and rkill and several offline tools) is the one that came down with the unfindable hijacker.

Background. I got infected with Aluron, a DNS changer virus, then i took this action.
Full scans with MSE, weeded out three alurons types. All seemed good after a reboot. So I installed the good old SpybotSD1.6 and did the usual things. No probs. A few days later and no other restarts I notices a browser hijack happen when using a search engine to a dodgy sit(sory cant recall, but seemed to slightly different each time. Happened from Google and Bing. I dont have the patience for any others.

So i installed MAlware bytes and moves up to SpybotSD2.04beta.
Both apps pick up a few very minor things. But the issue persists, not 100% all the time but there Hijacking now and then.

I opted to take a full trial of malware btyes. It didnt detect anything more local than its free version. Not surprised i tried Sophos 9.7, asi'm entitled to this through on of my work contracts. Not real breakthroughs but i though lets beef up firewall move to sophos firewall.
I scoured processes and found only one really suspect file wanting access now and then.
But My whole system went pear shaped as I moved in on this file.
Firewall started crashing. lost network connections, basically took out my ip stack from the inside. I suspect it was inside a driver file. the TSD4 rootkit/Aluron is reported to be morphinging into a major driver hijacker masquarading as signed drivers before windows can protect its files.
(by the way scannow /sfc also found no files to repair twice in this whole ordeal)

I actually had Sophos call me, hats off to them for taking an inititive. I told the engineer i would send some dumps of reg hives and logs from SAV and SFW. But that very night my win7 Media PC was stuck at POST. Seems Windows restarted during the day (Dont blame virus here, I have kids and the powerlines have been under mainteance here, making UPS sort of a waste of time and money) and then windows 7 wouldnt start.

Not scared of a good clean reinstall I moved my old windows\users folders to an external HDD and reinstalled.
That Fixed it :)

If it was still there I would have to suspect bootkit, MBR infection or other device on network.
Since no other pc heer is exhibiting an issue, i rule out network device compromise. I also changed router in the midst of my media pc infection.

Its back to that Aluron and something it left in my system as far as I can see.
I wish i still had the system , or P2V'd it for further analysis.
But alas and thankgod its gone and all better now.

Have you considered checking your proxy or DNS settings? One of the two could have been changed, and indeed if what you describe about your "DNS" is accurate, it is possible that malware has changed your primary and secondary DNS servers to a pair controlled by a hijacker.

If you haven't set up something special on your router, try using the DNS servers from Comodo Secure DNS, and if you have (like setting the router's DNS settings to that, and also setting up ad-blocking at the router level), just set your computer to automatically get DNS settings.

As for the system proxy settings, in Internet Options you should probably change it to "Direct Connection" unless your ISP demands something else, while for Firefox, Opera, and all other browsers, change your proxy settings to "system proxy settings"

I give this advice only because it doesn't look like you said that you've already looked there.

But I changed them and check them often. Dont we all have multiple network segments? Network Meter Gadget V8 rocks almost as much as spybot SD!

thanks this has helped me to understand spybot better. I had Norton anti virus and had constant problems with it. i even had to have someone remove virusus from my pc by remote contact twice! not good, I'm glad i found spybot.