I just finished repairing a customer's machine and thought that all was ok. Explorer opened up ok and displayed the ninemsn.com.au default webpage ok, but when I tried to access google.com or google.com.au I would get a timeout and the page would not display. Not even pinging the site from cmd prompt would work.
After re-running eset online scan, Malware bytes, etc and not finding any additional infections and stood there scratching my head when it dawned on me.. the hosts file!
Opened CMD prompt, navigated to c:\windows\system32\drivers\etc but there was not 'hosts' file.
DIR /AH revealed a hidden hosts file.
EDIT HOSTS revealed a massively hijacked HOSTS file with redirects for google and many others. Aha!
ATTRIB HOSTS revealed archived, read only, system, hidden attributes all on.
ATTRIB -ARSH wouldn't work.
Downloaded FILE ASSASSIN from Malwarebytes.org, even that wouldn't unlock the file. Even marking it for deletion on reboot.
Took the drive out, piggy backed it on another system as a slave drive. Still couldn't delete the HOSTS file with DEL or FILE ASSASSIN. Very weird if you ask me.
Time to get smart... Navigated back one level and renamed the ETC folder to ETCOLD, created a new folder called ETC. Copied all the other files from ETCOLD to the new ETC folder (all files except for HOSTS).
Then copy/paste a clean HOSTS file (from the clean machine) to to the new ETC folder. ie. copy c:\windows\system32\drivers\etc\hosts f:\windows\system32\drivers\etc
For some added protection, I then marked the HOSTS file as READ-ONLY, just to (maybe) protect future hijacks. (ATTRIB +R HOSTS)
Put the drive back into the original computer and viola! Explorer opened up google first time!
It's not the first time I've seen HOSTS file hijacks, but it's first time I couldn't delete the file or modify it.
A simple solution if you're stuck with a stubborn hosts file.
|The Following User Says Thank You to RadAct For This Useful Post:|
Re: Browser Hijack/Redirects
Welcome to Major Geeks!
Note that setting the hosts file to read-only will not help since most of the current malware around already knows about that trick and they simply change the permissions again and then make their changes. This only worked for older malware that was not so smart.
"There are 10 types of people in this world. Those who understand binary and those who don't."
Support Majorgeeks on Facebook:
|Thread||Thread Starter||Forum||Replies||Last Post|
|browser redirects||hardcor||Malware Removal||1||11-28-09 23:51|
|Browser Redirects||kwaka||Malware Removal||3||04-27-09 16:58|
|Browser Redirects||cahandy||Malware Removal||9||03-06-09 00:54|
|Browser Search Redirects||hdebo||Malware Removal||8||07-04-08 13:16|
|Browser always redirects to QSRCH.COM via DNS||wormsign||Malware Removal||1||06-16-05 10:26|