I am at the limit of my technical knowledge here so hopefully, this is the right place to raise the question and I can articulate it clearly:

I had set up my default IE search engine to be Google. I also set it so that if I typed a search term in the address bar, it used google as the search engine and returned results in the window below.

For the last week or so, wheneven I used a search term it would reroute the search to something that in the address bar was labeled www9.seek-aid.net. I noticed an opt-out hyperlink at the screen bottom, turned it 'off' (it uses a cookie) and it forced the default to msn.com's search. I also deleted all regedit keys I found containing seek-aid.net. (There was only one and it may have been just a history item.)

I went into the registry and made sure that every instance of ie.search.msn.com was replaced with the appropriate google references and set up all of the default search registry entries to google according to instructions found on google. Now, the seach toolbar button on IE defaults to google, but the address bar search still goes to MSN- and back to seek-aid if I delete that cookie. I can see that something is redirecting the search from google to the msn (directed by this seek-aid thing!).

I ran SpyCatcher, AdAware, SpyBot S&D, CleanCache, CCleaner, OneCare Live, BFU, etc. I followed the 'major geeks' removal instructions through deleting the prefetch files and even tried the surfsidekick removal procedure in its entirety. I also removed Morpheus. I currently use a fully up to date copy of McAfee Security Suite Antivirus and Personal Firewall.

No luck. I ran HijackThis! both before and after. The logs appear to be clean. Attached is the most recent one I ran.

Obviously, this trojan (if it is one!) or whatever it is is still hijacking my browser. But I am at a total loss of how to find it or what to do to get rid of it.

I tried google-ing 'seek-aid' (and several variants) and searching it on MajorGeeks and a few other support forums, such as this one, and found nothing.

PLEASE HELP or at least point me in the right direction!

hijackthis.zip
Description:		Download
Filename:	hijackthis.zip
Filesize:	4.43 KB
Downloaded:	33 Time(s)

Is there additional information I can supply, things to try that will help someone give me advice??

Thanks...

It appears to be a problem with an upstream DNS server returning bad responses. I suspect that's the case with you.

I would call your ISP's tech support and explain the problem you're having.

I've had the same problem at my office network. A lot of the private URLs I browse to end up at www9.seek-aid.net. I searched and searched for that string throughout my PC but cannot find anything. I've run every spyware cleaner known to man but seem to have a clean PC.

A few observations: I can ping lksdjflsdlkj.com (or any other nonsense domain) and get the same IP address every time: 64.158.56.46. I get this for my internal URLs as well.

When I point my DNS server away from our domain controller, I get the expected "bad domain" message when pinging blahblahlksjflsdj.com.

We're still researching this as a problem with our PDC. Are you in a similar setup?

This is the ONLY post out there I could find on seek-aid.net so I thought I'd add my 2 cents here.

It looks like "permafour" is right on.

My PDC relies on my ISP's DNS server for hostnames not in our domain. Nonsense hostnames always return 64.158.56.46. I found out that "auto.search.msn.com" and "sea.search.msn.com" also return this IP. (These are the default hostnames IE uses after DNS errors.) A DNS server from mit.edu returns the real IPs: "18.7.20.76, 18.7.20.100". No word yet from our ISP (US-LEC) why this is the case.

For all the NSLOOKUP ugliness, see the attachment.

hijack_dns_autosearch.txt
Description:	NSLOOKUP output	Download
Filename:	hijack_dns_autosearch.txt
Filesize:	1.66 KB
Downloaded:	53 Time(s)

Our ISP (US-LEC) recently added Paxfire to their network. It's a network applicance that hijacks hostnames that are not found in DNS (i.e. mistyped URLs) and forwards you to an advertisement. This, of course, frustrates the user to no end but makes a nickel for the ISP.

If you use US-LEC, you can call them and opt out. What chaps my hide is they never notified us of the change and a few of us have spent a considerable amount of time debugging their system. Today's special: free spam with your Internet connection.

So, if you (or someone upstream from you) are using US-LEC DNS servers, beware.
cachens1.uslec.net - 66.255.85.8
cachens2.uslec.net - 66.255.85.9

I had never heard of Paxfire before but Wikipedia has a pretty clear explanation of it.
http://en.wikipedia.org/wiki/Paxfire

Just wanting to mention that this thread seems to be the only available information on this topic. Thanks for investigating & sharing!

(PS: Access counters for this page could really be interesting over the next few days.)

You need to post your HijackThis log where all can see it or the 1st Responders will not help you. They won't read logs set as attachments. Thanks.

Thanks also for relating to the general problem here without giving advice on the log. (Only CastleCops authorized Staff can do that in this forum.)

I welcome all of you to CastleCops

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

I too am having this issue. We are a US-LEC customer. My issue though is when I ping a server within my network it fails and comes back with an address of 64.158.56.46. This doesn't happen all the time but it is often. Since this began I've noticed a ton of Spam as well. I've contacted LEC to see what they have to say.