search results get redirected

[Shadow]

You could also have used a bartpe disc, booted into native NT, mounted
the systems local (software if you need to meddle with windows, SAM if
you need to override a lost password, system if you need to remove some
bad driver information) registry hive and edited it; and then saved the
results back to disc. You can also change NTFS permissions and reclaim
files which have been taken from you. The ehh, untouchable and invisible
ones. <G>

OK, you got me there. I've always booted into linux and
deleted files from there, sometimes restoring my erunt registry backup
from a dosbox "box". I thought that my XP-Bart would execute those
autorun files when it mounted the drives. Does Bart ignore autorun
files ?
TIA
[]'s

 

[Dustin]

OK, you got me there. I've always booted into linux and
deleted files from there, sometimes restoring my erunt registry
backup from a dosbox "box". I thought that my XP-Bart would execute
those autorun files when it mounted the drives. Does Bart ignore
autorun files ?

Bart doesn't have windows explorer running, so yes; the autorun and
other things like.. device manager (hehehe) aren't available. <G>

 

[sh@dow]

By the way, my wife says the search results are still redirecting.
Obviously it isn't clean yet. I guess I must start over. Please
suggest how to begin.

OK ...
In this order:
you still have that linux bootdisk ?
1) Boot linux, examine the hostfile, and see if any of the old
entries have re-appeared. Save the file to USB, then delete it.
2) Plug in all your USB drives, one by one, and look for an
autorun.inf file on all of them. Look in the root of all your drives too.
C:, D:, etc.
WRITE DOWN the file the autorun.inf points to, and if you can
connect to the net, upload the file it points to to
http://virusscan.jotti.org/en and/or
http://www.virustotal.com and
(this will help others)
http://www.uploadmalware.com/index.php
(you can see what file it points to by opening the autorun.inf in a text
editor, like gedit, kedit )
If you have an autorun.inf on the USB, do not plug it into any
other computer until you have saved a zipped copy and deleted the
original. Also save a zipped copy of the file it points to , and delete
the original.
3) No autorun.inf ? OK, so it's probably a "run" instruction in the
registry. Or a browser add-on, or a shell.
Your antivirus and antimalware are probably false, downloaded
from a bogus redirection.

Download http://www.avira.com/en/support-download-avira-antivir-
rescue-system
on ANOTHER computer, burn it to a cdrom on the other PC, boot
with it and run the program.
4) Still no joy ?
Back up all your data(should have done that first) and
reinstall ...... sorry, all I can think of ATM
[]'s
PS --- feedback if anything above comes out positive, pls.

 

[Nobody > (Revisited)]

I have never seen the host file hidden AND locked from the administrator
on any windows computer, such that an administrator could not access it.
I've seen it blocked from delete by malware.

Not sure if it would work in this case, but MBAM has a "FILEASSIN" under
the "more tools" tab. But a quick look shows it basically uses the
Windows Explorer interface, so it's a "probable not" for this one.



--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum

 

[Dustin]

Not sure if it would work in this case, but MBAM has a "FILEASSIN"
under the "more tools" tab. But a quick look shows it basically uses
the Windows Explorer interface, so it's a "probable not" for this
one.

The interface is the same, but if you google file assasin, you'll see
its an older program which uses direct API calls to lock onto and
delete the file of your choosing. It works in many cases, but I don't
recommend you just willynilly targetlock and fire. [g]