search results get redirected

[badgolferman]

I can't get the right answer anywhere else so I'm hoping someone here
can help please.

Windows XP computer seems to have a redirect spyware/virus messing with
the search capabilities of all browsers. You do a search in Google and
when clicking on the link it redirects to a no name search engine. If
you go back to the Google search results and click the link the second
or third time then it takes you to the correct site. Gmail is
difficult to get to also, something about SSL error.

I changed the DNS servers to OpenDNS. I ran AVAST, MBAM, NOD32 online
scan. All came back clean. Hijack This gave me a clue that the HOSTS
file was locked. I navigated to c:\windows\system32\drivers\etc to
look at it but it is locked and hidden from view. I can't delete it
from Explorer and not from the command line either -- access is denied.
I have tried all the suggestions found on the web telling me to take
ownership or change system attributes through the command line. None
work.

The infected computer is one of several computers connected to my
wireless router. None of the others are having any problems. I assume
the HOSTS file has been overtaken by a nasty malware and somehow that
is redirecting the search results. Maybe something else is the problem
and you can help.

Thank you.

 

[sh@dow]

I can't get the right answer anywhere else so I'm hoping someone here
can help please.

Windows XP computer seems to have a redirect spyware/virus messing with
the search capabilities of all browsers. You do a search in Google and
when clicking on the link it redirects to a no name search engine. If
you go back to the Google search results and click the link the second
or third time then it takes you to the correct site. Gmail is difficult
to get to also, something about SSL error.

I changed the DNS servers to OpenDNS. I ran AVAST, MBAM, NOD32 online
scan. All came back clean. Hijack This gave me a clue that the HOSTS
file was locked. I navigated to c:\windows\system32\drivers\etc to look
at it but it is locked and hidden from view. I can't delete it from
Explorer and not from the command line either -- access is denied. I
have tried all the suggestions found on the web telling me to take
ownership or change system attributes through the command line. None
work.

The infected computer is one of several computers connected to my
wireless router. None of the others are having any problems. I assume
the HOSTS file has been overtaken by a nasty malware and somehow that is
redirecting the search results. Maybe something else is the problem and
you can help.

Thank you.

I'd boot from a linux live cd and see what was in that hosts
file. Quite easy to navigate using the file explorer. Maybe you can't
find it because it's not there ?
I have a very poor view of these free DNS servers, a lot of them
redirect.
Try downloading Steve Gibson's DNS benchmark tool.
http://www.grc.com/dns/benchmark.htm
It will tell you in a very short time which DNS servers are
fastest and which redirect. But only AFTER you've sorted out the hosts
problem.
BTW, maybe even hijackthis will sort out your hosts file. Try it.
It's pretty tiny, and portable.
http://free.antivirus.com/hijackthis/
FWIW
[]'s

 

[David H. Lipman]

I can't get the right answer anywhere else so I'm hoping someone here
can help please.

Windows XP computer seems to have a redirect spyware/virus messing with
the search capabilities of all browsers. You do a search in Google and
when clicking on the link it redirects to a no name search engine. If
you go back to the Google search results and click the link the second
or third time then it takes you to the correct site. Gmail is
difficult to get to also, something about SSL error.

I changed the DNS servers to OpenDNS. I ran AVAST, MBAM, NOD32 online
scan. All came back clean. Hijack This gave me a clue that the HOSTS
file was locked. I navigated to c:\windows\system32\drivers\etc to
look at it but it is locked and hidden from view. I can't delete it
from Explorer and not from the command line either -- access is denied.
I have tried all the suggestions found on the web telling me to take
ownership or change system attributes through the command line. None
work.

The infected computer is one of several computers connected to my
wireless router. None of the others are having any problems. I assume
the HOSTS file has been overtaken by a nasty malware and somehow that
is redirecting the search results. Maybe something else is the problem
and you can help.

Thank you.

Use my Multi-AV Scanning Tool and start with the Trend Micro module.

You may have a legit DLL that's been trojanized.

 

[Dustin]

I can't get the right answer anywhere else so I'm hoping someone here
can help please.

Have you tried tdsskiller?

 

[gaz]

Have you tried tdsskiller?

Second that, tdsskiller has a good chance of getting this type of bugger.

http://support.kaspersky.com/viruses/solutions?qid=208280684

 

[badgolferman]

Second that, tdsskiller has a good chance of getting this type of
bugger.

http://support.kaspersky.com/viruses/solutions?qid=208280684

I tried it and it didn't find anything either. The closest one to
actually doing anything is Hijack This which can read it but tells me
it's locked.

The HOSTS file remains hidden/invisible in the directory and I can't
get it despite being the administrator and having all files be visible.
The directory shows 4 icons inside, but the command line tells me there
is 5. Search results continue to get redirected when using IE or
Chrome. Doesn't Chrome share many network options with IE? I can't
remember if Firefox is affected. If the issue is a HOSTS file then
Firefox should be no different. I'll mess around with it some more
tonight hopefully.

 

[Sh@dow]

I tried it and it didn't find anything either. The closest one to
actually doing anything is Hijack This which can read it but tells me
it's locked.

Aha, my suggestion.
It found no suspicious startups or shells ?

The HOSTS file remains hidden/invisible in the directory and I can't
get it despite being the administrator and having all files be
visible. The directory shows 4 icons inside, but the command line
tells me there is 5. Search results continue to get redirected when
using IE or Chrome. Doesn't Chrome share many network options with
IE? I can't remember if Firefox is affected. If the issue is a
HOSTS file then Firefox should be no different. I'll mess around
with it some more tonight hopefully.

Like I said before, download any linux live-cd (slax is OK, or
puppy), boot from it, and just navigate to the hosts file using the file
manager. You can do what you like, you will be root. Edit it, copy it
to a usb, delete it. Root is boss.
[]'s

 

[badgolferman]

Like I said before, download any linux live-cd (slax is OK, or
puppy), boot from it, and just navigate to the hosts file using the
file manager. You can do what you like, you will be root. Edit it,
copy it to a usb, delete it. Root is boss.

Thank you for your suggestion. I downloaded a Knoppix Live CD and made
a disc out of it. I booted from the disc and navigated to the
c:\windows\system32\drivers\etc directory and sure enough there was the
HOSTS file. It was filled with all versions of Google, Yahoo, Bing
domains and all pointing to one particular IP address. Hijack This!
identified all those entries in the HOSTS file but couldn't delete
them. I deleted the file, rebooted to Windows and downloaded a new
HOSTS file from the MVPS website. The system seems to be working okay
tonight but I will cross my fingers and check again tomorrow.

 

[Leythos]

Thank you for your suggestion. I downloaded a Knoppix Live CD and made
a disc out of it. I booted from the disc and navigated to the
c:\windows\system32\drivers\etc directory and sure enough there was the
HOSTS file. It was filled with all versions of Google, Yahoo, Bing
domains and all pointing to one particular IP address. Hijack This!
identified all those entries in the HOSTS file but couldn't delete
them. I deleted the file, rebooted to Windows and downloaded a new
HOSTS file from the MVPS website. The system seems to be working okay
tonight but I will cross my fingers and check again tomorrow.

One of the latest malware does this, on a machine I recently saw that
was infected it was a fake ESET.EXE antivirus program.

On that same machine, before fixing the host file, MBAM removed some
1800 trojan/fake items.

In order to access the HOST file I had to change the VIEW options to
show Hidden and System files, and open the COMMAND prompt under an Admin
account, browse to it via the command prompt and then use the manual
delete command. Even with UAC turned off, while windows explorer could
see it, it could not be deleted via the GUI.

 

[FromTheRafters]

Thank you for your suggestion. I downloaded a Knoppix Live CD and made
a disc out of it. I booted from the disc and navigated to the
c:\windows\system32\drivers\etc directory and sure enough there was the
HOSTS file. It was filled with all versions of Google, Yahoo, Bing
domains and all pointing to one particular IP address. Hijack This!
identified all those entries in the HOSTS file but couldn't delete
them. I deleted the file, rebooted to Windows and downloaded a new
HOSTS file from the MVPS website. The system seems to be working okay
tonight but I will cross my fingers and check again tomorrow.

As you probably already know, you haven't addressed what put it there,
and what hid and protected it under Windows. You likely still have work
to do even though one symptom has been addressed.

 

[Shadow]

Thank you for your suggestion. I downloaded a Knoppix Live CD and made
a disc out of it. I booted from the disc and navigated to the
c:\windows\system32\drivers\etc directory and sure enough there was the
HOSTS file. It was filled with all versions of Google, Yahoo, Bing
domains and all pointing to one particular IP address. Hijack This!
identified all those entries in the HOSTS file but couldn't delete
them. I deleted the file, rebooted to Windows and downloaded a new
HOSTS file from the MVPS website. The system seems to be working okay
tonight but I will cross my fingers and check again tomorrow.

Glad to hear it worked. The IP address could be a giveaway as
to the name of the malware, you could have given it to us, munged.
(like two hundred dot one three eight dot, etc).
Anyway, whatever put it there altered explorer shell and other
stuff. Probably has an autorun.inf in c:, or a run= command in
registry, or some kind of browser hook. Sure hijackthis didn't find
anything ? The malware is still there, somewhere.
PS - rename hijackthis.exe to something like notepad.exe.
Sometimes does the trick. I'd also run superantispyware portable and
malwarebytes just to be sure. In that order.
[]'s

 

[badgolferman]

One of the latest malware does this, on a machine I recently saw that
was infected it was a fake ESET.EXE antivirus program.

On that same machine, before fixing the host file, MBAM removed some
1800 trojan/fake items.

In order to access the HOST file I had to change the VIEW options to
show Hidden and System files, and open the COMMAND prompt under an
Admin account, browse to it via the command prompt and then use the
manual delete command. Even with UAC turned off, while windows
explorer could see it, it could not be deleted via the GUI.

Hello Leythos,

This HOSTS file was NOT visible from the command line nor from Windows
Explorer with all options enabled and logged in as an administrator
although not as THE Administrator. However I knew it was there because
the command line was telling me there were 5 objects in the directory
and Hijack This! could read the file. The other spyware cleaners or
anti-virus programs never even made a peep about the HOSTS file, maybe
because it was hidden and locked.

 

[badgolferman]

Thank you for your suggestion. I downloaded a Knoppix Live CD and
made a disc out of it. I booted from the disc and navigated to the
c:\windows\system32\drivers\etc directory and sure enough there was
the HOSTS file. It was filled with all versions of Google, Yahoo,
Bing domains and all pointing to one particular IP address. Hijack
This! identified all those entries in the HOSTS file but couldn't
delete them. I deleted the file, rebooted to Windows and
downloaded a new HOSTS file from the MVPS website. The system
seems to be working okay tonight but I will cross my fingers and
check again tomorrow.

Glad to hear it worked. The IP address could be a giveaway as
to the name of the malware, you could have given it to us, munged.
(like two hundred dot one three eight dot, etc).
Anyway, whatever put it there altered explorer shell and other
stuff. Probably has an autorun.inf in c:, or a run= command in
registry, or some kind of browser hook. Sure hijackthis didn't find
anything ? The malware is still there, somewhere.
PS - rename hijackthis.exe to something like notepad.exe.
Sometimes does the trick. I'd also run superantispyware portable and
malwarebytes just to be sure. In that order.
[]'s

Hijack This told me of the HOSTS file and even displayed the contents,
but when I tried to delete the entries it was powerless to do so,
presumably because it was protected.

I believe the culprit has been corralled because the computer was
cleaned a few weeks ago by either MBAM or SAS. It just never restored
the HOSTS file.

My problem was much like this article but with a different IP address
than shows in the example. If I get a chance I'll post the actual
address later on.

http://superuser.com/questions/104792/windows-xp-hosts-file-has-been-tampered-with

 

[Leythos]

Hello Leythos,

This HOSTS file was NOT visible from the command line nor from Windows
Explorer with all options enabled and logged in as an administrator
although not as THE Administrator. However I knew it was there because
the command line was telling me there were 5 objects in the directory
and Hijack This! could read the file. The other spyware cleaners or
anti-virus programs never even made a peep about the HOSTS file, maybe
because it was hidden and locked.

I have never seen the host file hidden AND locked from the administrator
on any windows computer, such that an administrator could not access it.
I've seen it blocked from delete by malware.

 

[no_one]

BIG SNIP

http://superuser.com/questions/104792/windows-xp-hosts-file-has-been-tampered-with

Install WinPatrol to protect the hosts file and the registry, and a
lot of other good things.
--

 

[Shadow]

Hijack This told me of the HOSTS file and even displayed the contents,
but when I tried to delete the entries it was powerless to do so,
presumably because it was protected.

I believe the culprit has been corralled because the computer was
cleaned a few weeks ago by either MBAM or SAS. It just never restored
the HOSTS file.

I just got a horrible idea. If you googled hijackthis and the
antimalware programs , while you had your hosts file altered, you
could have been redirected to and downloaded false files.
Depends on how thorough they were with your hosts file.
Know how to use an MD5 ?
http://free.antivirus.com/hijackthis/
Download the one on the right, marked "executable"
hijackthis.exe 388.608 bytes
MD5 9A2347903D6EDB84C10F288BC0578C1C
Correct ?
[]'s

I had a terrible job once, altering a registry key as
administrator. I finally managed by booting into safe-mode.
I also had to remove some autorun.inf files using a linux live disk.
Untouchable (and invisible) for administrator.

 

[Dustin]

Well...

Just humour me for a moment..

I'd like you to open IE and check the connection settings. Under LAN, and
let me know if it's got some proxy settings enabled by any chance. If it
does, uncheck them and select automatically detect settings, close IE and
re-open it.

Please report back.

 

[Dustin]

Hello Leythos,

This HOSTS file was NOT visible from the command line nor from
Windows Explorer with all options enabled and logged in as an
administrator although not as THE Administrator. However I knew it
was there because the command line was telling me there were 5
objects in the directory and Hijack This! could read the file. The
other spyware cleaners or anti-virus programs never even made a peep
about the HOSTS file, maybe because it was hidden and locked.

It sounds like something used NTFS file permissions on the hosts. file;
that could prevent you from doing anything with it unless you used the
account it was configured for. You can override this of course, but.. if
you don't know it's been done you aren't going to check that aspect.

 

[Dustin]

I have never seen the host file hidden AND locked from the
administrator on any windows computer, such that an administrator
could not access it. I've seen it blocked from delete by malware.

NTFS file permissions had to have been in play here. Or, he still has
something which was hiding the hosts file.

 

[Dustin]

I had a terrible job once, altering a registry key as
administrator. I finally managed by booting into safe-mode.
I also had to remove some autorun.inf files using a linux live disk.
Untouchable (and invisible) for administrator.

You could also have used a bartpe disc, booted into native NT, mounted
the systems local (software if you need to meddle with windows, SAM if
you need to override a lost password, system if you need to remove some
bad driver information) registry hive and edited it; and then saved the
results back to disc. You can also change NTFS permissions and reclaim
files which have been taken from you. The ehh, untouchable and invisible
ones. <G>