Unknown hijacking: Not detected by Spyboy

[Jeoshua]

First, a bit of background on myself before you assume anything about me. I have worked in computer repair and spyware removal for about 10 years now. I'm normally very good at rooting out everything. My chosen tools are spybot, hijackthis, regedit, and good ol' fashioned cmd. I have never run across a problem with these tools that I could not ferret out.

Until now.

I have been struggling for the last 2 weeks with some form of hijacker that periodically sends me to an advertising website: delivery.jemacpv.com. Apparently this software/hack is trying to make money off of me. Well I won't have it, and have already added this as an override to my hosts file. If you can't remove the heart, cut off their huevos.

Now, all hijackthis logs show absolutely nothing out of the ordinary. Spybot S&D shows nothing at all except the standard tracking cookies. Rkill.com comes up empty. Procmon... well let's just say that even after swimming through all the data that I could track from iexplore.exe, nothing seems amiss. As far as the computer is concerned, I asked to go to the website. I haven't installed any software recently and if any was installed unknowningly it left seemingly no trace. The only thing I can think of is that somehow someone is spoofing my DNS.

I would suggest that spybot update their innoculations to add delivery.jemacpv.com to their list of blocked sites. There is nothing redeming about the site, and it is only seemingly an advertising portal. And not even the decent kind of advertising, but the "You Have Won!" and "Work From Home!" popup type. Most unsavory.

I realize this is my one and only post on this forum, so I may not be trusted or be posting this in the wrong area, but rest assured when I tell you there is something out there that is confounding even me, and the only thing that I have found to do is to block it in my hosts file. It's still in there somewhere, but now I get a 404 instead of Popup Ads. At least the hijacker is no longer making money off me.

[Jeoshua]

Quick update, the hijack just changed tack to redirect me to pops.lightningseek.com

It seems that my DNS theory was correct.

If you're reading this, up yours (not you, spybot forums)

[Jeoshua]

And another one.

pops.therainbowsearch.com

[Wakefield]

It is sort of over my head but I wonder if there is such a thing as a hijack or redirect that messes with the function of the router or DSL box if you have one? In other words malware in your router instead of your computer?

[tashi]

Hello Jeoshua,

In order to directly examine the threat, this topic being posted in "Requests for additions to Spybot's detections", our detectives will need the file itself. If you can find any suspicious files please zip or rar them and send to: detections(at)spybot.info (Replace AT with @)

Thanks.

If this is your personal computer and you would like someone to take a look at the system please start a topic in the Malware Removal Forum and a volunteer analyst will advise when available.

First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS logs, which are the logs used for first contact analysis, not HJT.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Best regards.

[Jeoshua]

That's actually the issue here. I can't find it at all. I prefaced my point by saying I'm actually normally fairly good at this and actually do it for a living.

And yet, it seems there is nothing wrong with my computer at all, but these popups keep happening.

I haven't just been relying on Spybot for this. I've used Ad-aware, HijackThis, Norton, and about 20 hours total of looking over various registry settings and folders. Nothing is there.

As to Mr Wakefield.

No, it doesn't install software on your router or anything. It's hard to describe, but what seems to be happening is that my computer sends out the DNS request to see what IP corresponts to a website (let's say www.google.com).

From my perspective: The signal goes out towards the DNS. The "DNS" seems to respond, telling my browser the IP it needs to access. However, once accessed, this IP turns out to be false, and is really just an ad website.

I'm not sure of the exact how-to of it, but some 3rd party has taken over the functions of my DNS, periodically telling me that what I thought was "www.google.com" is actually not, and gives me the address for "pops.rainbowfind.com" or what have you.

In the past few days, the list of sites I was being sent to went from 1 site to about 30. They're all variations on each other.

pops.rainbowseek.com
pops.therainbowfind.com
pops.blueseek.com
pops.redseek.com
pops.greenfind.com
pops.mygreenfind.com
pops.mygreen-search.com

And so forth and so on, ad nauseum.

I don't have a live sample of any malware here because, as best as I can determine, this is not local on my computer. Honestly I didn't place this "request" in this area of the forums, myself. A moderator moved it here. I fully realize that this is not a request for detection of a specific malware threat. Really, what I was trying to do, is make a request for specific ad-blocking to be added in to the "Immunization" area.