Unknown hijacking: Not detected by Spyboy
First, a bit of background on myself before you assume anything about me. I have worked in computer repair and spyware removal for about 10 years now. I'm normally very good at rooting out everything. My chosen tools are spybot, hijackthis, regedit, and good ol' fashioned cmd. I have never run across a problem with these tools that I could not ferret out.
Until now.
I have been struggling for the last 2 weeks with some form of hijacker that periodically sends me to an advertising website: delivery.jemacpv.com. Apparently this software/hack is trying to make money off of me. Well I won't have it, and have already added this as an override to my hosts file. If you can't remove the heart, cut off their huevos.
Now, all hijackthis logs show absolutely nothing out of the ordinary. Spybot S&D shows nothing at all except the standard tracking cookies. Rkill.com comes up empty. Procmon... well let's just say that even after swimming through all the data that I could track from iexplore.exe, nothing seems amiss. As far as the computer is concerned, I asked to go to the website. I haven't installed any software recently and if any was installed unknowningly it left seemingly no trace. The only thing I can think of is that somehow someone is spoofing my DNS.
I would suggest that spybot update their innoculations to add delivery.jemacpv.com to their list of blocked sites. There is nothing redeming about the site, and it is only seemingly an advertising portal. And not even the decent kind of advertising, but the "You Have Won!" and "Work From Home!" popup type. Most unsavory.
I realize this is my one and only post on this forum, so I may not be trusted or be posting this in the wrong area, but rest assured when I tell you there is something out there that is confounding even me, and the only thing that I have found to do is to block it in my hosts file. It's still in there somewhere, but now I get a 404 instead of Popup Ads. At least the hijacker is no longer making money off me.
Same Hijacker DNS issue here -Aluron
I was also infected with an undetectable hijacker/DNS malware. The issues were after a small round of infection on my Windows 7 x64 SP1 system.
I am an IT pro with over 17 years experience and have used SpybotSD before sasser and mydoom broke loose. Its always been a great tool, i would swear by the Spybots immunization on any build i do for clients (Although I forgot my media pc...)
I have three media pc's, xp, vista and win 7. Two laptops. Four other old pc's i probably should tombstone. And two always on Virtual machines. However only the one that I didnt have Spybot (and malwarebtyes -sorry i use both, and rkill and several offline tools) is the one that came down with the unfindable hijacker.
Background. I got infected with Aluron, a DNS changer virus, then i took this action.
Full scans with MSE, weeded out three alurons types. All seemed good after a reboot. So I installed the good old SpybotSD1.6 and did the usual things. No probs. A few days later and no other restarts I notices a browser hijack happen when using a search engine to a dodgy sit(sory cant recall, but seemed to slightly different each time. Happened from Google and Bing. I dont have the patience for any others.
So i installed MAlware bytes and moves up to SpybotSD2.04beta.
Both apps pick up a few very minor things. But the issue persists, not 100% all the time but there Hijacking now and then.
I opted to take a full trial of malware btyes. It didnt detect anything more local than its free version. Not surprised i tried Sophos 9.7, asi'm entitled to this through on of my work contracts. Not real breakthroughs but i though lets beef up firewall move to sophos firewall.
I scoured processes and found only one really suspect file wanting access now and then.
But My whole system went pear shaped as I moved in on this file.
Firewall started crashing. lost network connections, basically took out my ip stack from the inside. I suspect it was inside a driver file. the TSD4 rootkit/Aluron is reported to be morphinging into a major driver hijacker masquarading as signed drivers before windows can protect its files.
(by the way scannow /sfc also found no files to repair twice in this whole ordeal)
I actually had Sophos call me, hats off to them for taking an inititive. I told the engineer i would send some dumps of reg hives and logs from SAV and SFW. But that very night my win7 Media PC was stuck at POST. Seems Windows restarted during the day (Dont blame virus here, I have kids and the powerlines have been under mainteance here, making UPS sort of a waste of time and money) and then windows 7 wouldnt start.
Not scared of a good clean reinstall I moved my old windows\users folders to an external HDD and reinstalled.
That Fixed it :)
If it was still there I would have to suspect bootkit, MBR infection or other device on network.
Since no other pc heer is exhibiting an issue, i rule out network device compromise. I also changed router in the midst of my media pc infection.
Its back to that Aluron and something it left in my system as far as I can see.
I wish i still had the system , or P2V'd it for further analysis.
But alas and thankgod its gone and all better now.
Yeah Aluron did set dud DNS entries for me
Quote:
Originally Posted by
lewisje
Have you considered checking your proxy or DNS settings? One of the two could have been changed, and indeed if what you describe about your "DNS" is accurate, it is possible that malware has changed your primary and secondary DNS servers to a pair controlled by a hijacker.
If you haven't set up something special on your router, try using the DNS servers from Comodo Secure DNS, and if you have (like setting the router's DNS settings to that, and also setting up ad-blocking at the router level), just set your computer to automatically get DNS settings.
As for the system proxy settings, in Internet Options you should probably change it to "Direct Connection" unless your ISP demands something else, while for Firefox, Opera, and all other browsers, change your proxy settings to "system proxy settings"
I give this advice only because it doesn't look like you said that you've already looked there.
But I changed them and check them often. Dont we all have multiple network segments? Network Meter Gadget V8 rocks almost as much as spybot SD!