[Gary Bagshawe]

Hiya all, I have come accross a rather nasty browser hijacker in the last 24 hours which not only takes over your browser but will not let you set your home page back to what you want. when you type in websites to the address bar it just goes to what it wants which are some very nasty sites. it gets all it's stuff seemingly from jupk.whatever.
I have run all the spyware malware software in safemode and emptied temp files etc but this is a real bad one.
Basically it hijacks your dns server which means that you cant even get your e-mail through outlook/express.
After much searching, swearing and banging head against wall the solution is as follows.

Go to control panel
network connections
Then right click LAN, internet connections, properties.
then click in the box which says "obtain DNS server automatically"

Hey presto fixed.

[stepheno]

Thanks for posting, Gary I assume you found and exterminated the culprit?

[Gary Bagshawe]

I cant find any reference to it on my laptop anywhere but after doing the above all seems to be fine. There a a fair number of pro it people who are having the same problem with this HJ and there are not many people who have found a solution at all to the problem. However the above seems to work fine and as we speak I am downloading all the latest windows security updates and installing them. It really is a bad one as you cant even search for stuff on the web after infection as it just redirects to some really horrible stuff. I found the solution by using the aol browser. It had even taken over my version of firefox2 and displayed the same problems.

[stepheno]

Thanks Gary, worth a rep or two that just don't send me any emails

[orangepeel]

Try hijackthis. Awesome wee program. I use it all the time to cleanup peoples IE installs. (I'm assuming it was IE that was hijacked)

Run it, do a scan, tick all the BHO entries the do the cleanup selected items.

|MG| Free Download - HijackThis 1.99.1


As for the LAN thing - that's a seperate issue. Albeit caused by the same spyware. Hijacked DNS can't stop you changing the default homepage. Although it could redirect any DNS lookups to different servers.

[Gary Bagshawe]

Quote:

Originally Posted by orangepeel

Try hijackthis. Awesome wee program. I use it all the time to cleanup peoples IE installs. (I'm assuming it was IE that was hijacked)

Run it, do a scan, tick all the BHO entries the do the cleanup selected items.

|MG| Free Download - HijackThis 1.99.1


As for the LAN thing - that's a seperate issue. Albeit caused by the same spyware. Hijacked DNS can't stop you changing the default homepage. Although it could redirect any DNS lookups to different servers.

highjack this, adaware, spybot search and destroy plus many other well known and proven detection/removal systems do not find this one. even after downloading the latest updates

[Nathan]

Guys,

The only problem with the jupk.com infection is that it's INCREDIBLY polymorphic. It also modifies its file size and name after every reboot in an attempt to sidestep heuristic tools.

The DNS change only works for the initial release of this malware. Its since been fixed so that if you're hit by the newer version you're out of luck!

Our researchers are currently looking into it in more detail but unfortunately there's potential for it to have a rootkit component which isn't removed by the HJT and DNS clean up. The use of the rootkit is to enable it to hide itself from the common antivirus software on the market. What else it does with it we're still investigating.

Personally I would recommend caution at the moment. Oh and the installation of a decent Security package!