Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Unknown hijacking: Not detected by Spyboy

  1. #1
    Junior Member
    Join Date
    Aug 2011
    Posts
    4

    Default Unknown hijacking: Not detected by Spyboy

    First, a bit of background on myself before you assume anything about me. I have worked in computer repair and spyware removal for about 10 years now. I'm normally very good at rooting out everything. My chosen tools are spybot, hijackthis, regedit, and good ol' fashioned cmd. I have never run across a problem with these tools that I could not ferret out.

    Until now.

    I have been struggling for the last 2 weeks with some form of hijacker that periodically sends me to an advertising website: delivery.jemacpv.com. Apparently this software/hack is trying to make money off of me. Well I won't have it, and have already added this as an override to my hosts file. If you can't remove the heart, cut off their huevos.

    Now, all hijackthis logs show absolutely nothing out of the ordinary. Spybot S&D shows nothing at all except the standard tracking cookies. Rkill.com comes up empty. Procmon... well let's just say that even after swimming through all the data that I could track from iexplore.exe, nothing seems amiss. As far as the computer is concerned, I asked to go to the website. I haven't installed any software recently and if any was installed unknowningly it left seemingly no trace. The only thing I can think of is that somehow someone is spoofing my DNS.

    I would suggest that spybot update their innoculations to add delivery.jemacpv.com to their list of blocked sites. There is nothing redeming about the site, and it is only seemingly an advertising portal. And not even the decent kind of advertising, but the "You Have Won!" and "Work From Home!" popup type. Most unsavory.

    I realize this is my one and only post on this forum, so I may not be trusted or be posting this in the wrong area, but rest assured when I tell you there is something out there that is confounding even me, and the only thing that I have found to do is to block it in my hosts file. It's still in there somewhere, but now I get a 404 instead of Popup Ads. At least the hijacker is no longer making money off me.
    Last edited by Jeoshua; 2011-08-07 at 16:33.

  2. #2
    Junior Member
    Join Date
    Aug 2011
    Posts
    4

    Default

    Quick update, the hijack just changed tack to redirect me to pops.lightningseek.com

    It seems that my DNS theory was correct.

    If you're reading this, up yours (not you, spybot forums)

  3. #3
    Junior Member
    Join Date
    Aug 2011
    Posts
    4

    Default

    And another one.

    pops.therainbowsearch.com

  4. #4
    Member
    Join Date
    Feb 2011
    Posts
    34

    Default

    It is sort of over my head but I wonder if there is such a thing as a hijack or redirect that messes with the function of the router or DSL box if you have one? In other words malware in your router instead of your computer?

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello Jeoshua,

    In order to directly examine the threat, this topic being posted in "Requests for additions to Spybot's detections", our detectives will need the file itself. If you can find any suspicious files please zip or rar them and send to: detections(at)spybot.info (Replace AT with @)

    Thanks.

    If this is your personal computer and you would like someone to take a look at the system please start a topic in the Malware Removal Forum and a volunteer analyst will advise when available.

    First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS logs, which are the logs used for first contact analysis, not HJT.
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Best regards.
    Last edited by tashi; 2011-08-08 at 23:14. Reason: Clarify
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  6. #6
    Junior Member
    Join Date
    Aug 2011
    Posts
    4

    Default

    That's actually the issue here. I can't find it at all. I prefaced my point by saying I'm actually normally fairly good at this and actually do it for a living.

    And yet, it seems there is nothing wrong with my computer at all, but these popups keep happening.

    I haven't just been relying on Spybot for this. I've used Ad-aware, HijackThis, Norton, and about 20 hours total of looking over various registry settings and folders. Nothing is there.

    As to Mr Wakefield.

    No, it doesn't install software on your router or anything. It's hard to describe, but what seems to be happening is that my computer sends out the DNS request to see what IP corresponts to a website (let's say www.google.com).

    From my perspective: The signal goes out towards the DNS. The "DNS" seems to respond, telling my browser the IP it needs to access. However, once accessed, this IP turns out to be false, and is really just an ad website.

    I'm not sure of the exact how-to of it, but some 3rd party has taken over the functions of my DNS, periodically telling me that what I thought was "www.google.com" is actually not, and gives me the address for "pops.rainbowfind.com" or what have you.

    In the past few days, the list of sites I was being sent to went from 1 site to about 30. They're all variations on each other.

    pops.rainbowseek.com
    pops.therainbowfind.com
    pops.blueseek.com
    pops.redseek.com
    pops.greenfind.com
    pops.mygreenfind.com
    pops.mygreen-search.com

    And so forth and so on, ad nauseum.

    I don't have a live sample of any malware here because, as best as I can determine, this is not local on my computer. Honestly I didn't place this "request" in this area of the forums, myself. A moderator moved it here. I fully realize that this is not a request for detection of a specific malware threat. Really, what I was trying to do, is make a request for specific ad-blocking to be added in to the "Immunization" area.
    Last edited by Jeoshua; 2011-08-11 at 23:35.

  7. #7
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Lightbulb

    Have you considered checking your proxy or DNS settings? One of the two could have been changed, and indeed if what you describe about your "DNS" is accurate, it is possible that malware has changed your primary and secondary DNS servers to a pair controlled by a hijacker.

    If you haven't set up something special on your router, try using the DNS servers from Comodo Secure DNS, and if you have (like setting the router's DNS settings to that, and also setting up ad-blocking at the router level), just set your computer to automatically get DNS settings.

    As for the system proxy settings, in Internet Options you should probably change it to "Direct Connection" unless your ISP demands something else, while for Firefox, Opera, and all other browsers, change your proxy settings to "system proxy settings"

    I give this advice only because it doesn't look like you said that you've already looked there.

  8. #8
    Junior Member
    Join Date
    Sep 2011
    Posts
    1

    Default

    Just chiming in to add that the same thing is happening to me, so you're not alone. I've added the domain to my hosts file just now, but I am no closer to finding the root of the problem either.

  9. #9
    Junior Member
    Join Date
    Nov 2011
    Posts
    2

    Cool Same Hijacker DNS issue here -Aluron

    I was also infected with an undetectable hijacker/DNS malware. The issues were after a small round of infection on my Windows 7 x64 SP1 system.

    I am an IT pro with over 17 years experience and have used SpybotSD before sasser and mydoom broke loose. Its always been a great tool, i would swear by the Spybots immunization on any build i do for clients (Although I forgot my media pc...)

    I have three media pc's, xp, vista and win 7. Two laptops. Four other old pc's i probably should tombstone. And two always on Virtual machines. However only the one that I didnt have Spybot (and malwarebtyes -sorry i use both, and rkill and several offline tools) is the one that came down with the unfindable hijacker.

    Background. I got infected with Aluron, a DNS changer virus, then i took this action.
    Full scans with MSE, weeded out three alurons types. All seemed good after a reboot. So I installed the good old SpybotSD1.6 and did the usual things. No probs. A few days later and no other restarts I notices a browser hijack happen when using a search engine to a dodgy sit(sory cant recall, but seemed to slightly different each time. Happened from Google and Bing. I dont have the patience for any others.

    So i installed MAlware bytes and moves up to SpybotSD2.04beta.
    Both apps pick up a few very minor things. But the issue persists, not 100% all the time but there Hijacking now and then.

    I opted to take a full trial of malware btyes. It didnt detect anything more local than its free version. Not surprised i tried Sophos 9.7, asi'm entitled to this through on of my work contracts. Not real breakthroughs but i though lets beef up firewall move to sophos firewall.
    I scoured processes and found only one really suspect file wanting access now and then.
    But My whole system went pear shaped as I moved in on this file.
    Firewall started crashing. lost network connections, basically took out my ip stack from the inside. I suspect it was inside a driver file. the TSD4 rootkit/Aluron is reported to be morphinging into a major driver hijacker masquarading as signed drivers before windows can protect its files.
    (by the way scannow /sfc also found no files to repair twice in this whole ordeal)

    I actually had Sophos call me, hats off to them for taking an inititive. I told the engineer i would send some dumps of reg hives and logs from SAV and SFW. But that very night my win7 Media PC was stuck at POST. Seems Windows restarted during the day (Dont blame virus here, I have kids and the powerlines have been under mainteance here, making UPS sort of a waste of time and money) and then windows 7 wouldnt start.

    Not scared of a good clean reinstall I moved my old windows\users folders to an external HDD and reinstalled.
    That Fixed it

    If it was still there I would have to suspect bootkit, MBR infection or other device on network.
    Since no other pc heer is exhibiting an issue, i rule out network device compromise. I also changed router in the midst of my media pc infection.

    Its back to that Aluron and something it left in my system as far as I can see.
    I wish i still had the system , or P2V'd it for further analysis.
    But alas and thankgod its gone and all better now.

  10. #10
    Junior Member
    Join Date
    Nov 2011
    Posts
    2

    Thumbs up Yeah Aluron did set dud DNS entries for me

    Quote Originally Posted by lewisje View Post
    Have you considered checking your proxy or DNS settings? One of the two could have been changed, and indeed if what you describe about your "DNS" is accurate, it is possible that malware has changed your primary and secondary DNS servers to a pair controlled by a hijacker.

    If you haven't set up something special on your router, try using the DNS servers from Comodo Secure DNS, and if you have (like setting the router's DNS settings to that, and also setting up ad-blocking at the router level), just set your computer to automatically get DNS settings.

    As for the system proxy settings, in Internet Options you should probably change it to "Direct Connection" unless your ISP demands something else, while for Firefox, Opera, and all other browsers, change your proxy settings to "system proxy settings"

    I give this advice only because it doesn't look like you said that you've already looked there.
    But I changed them and check them often. Dont we all have multiple network segments? Network Meter Gadget V8 rocks almost as much as spybot SD!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •