search results get redirected

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I can't get the right answer anywhere else so I'm hoping someone here
can help please.

Windows XP computer seems to have a redirect spyware/virus messing with
the search capabilities of all browsers.  You do a search in Google and
when clicking on the link it redirects to a no name search engine.  If
you go back to the Google search results and click the link the second
or third time then it takes you to the correct site.  Gmail is
difficult to get to also, something about SSL error.

I changed the DNS servers to OpenDNS.  I ran AVAST, MBAM, NOD32 online
scan.  All came back clean.  Hijack This gave me a clue that the HOSTS
file was locked.  I navigated to c:\windows\system32\drivers\etc to
look at it but it is locked and hidden from view.  I can't delete it
from Explorer and not from the command line either -- access is denied.
I have tried all the suggestions found on the web telling me to take
ownership or change system attributes through the command line.  None
work.

The infected computer is one of several computers connected to my
wireless router.  None of the others are having any problems.  I assume
the HOSTS file has been overtaken by a nasty malware and somehow that
is redirecting the search results.  Maybe something else is the problem
and you can help.

Thank you.

Re: search results get redirected

On Thu, 07 Apr 2011 22:04:16 -0400, badgolferman wrote:

Quoted text here. Click to load it

    I'd boot from a linux live cd and see what was in that hosts
file. Quite easy to navigate using the file explorer. Maybe you can't
find it because it's not there ?
    I have a very poor view of these free DNS servers, a lot of them
redirect.
    Try downloading Steve Gibson's DNS benchmark tool.
    http://www.grc.com/dns/benchmark.htm
    It will tell you in a very short time which DNS servers are
fastest and which redirect. But only AFTER you've sorted out the hosts
problem.
    BTW, maybe even hijackthis will sort out your hosts file. Try it.
It's pretty tiny, and portable.
    http://free.antivirus.com/hijackthis /
    FWIW
    []'s

Re: search results get redirected


Quoted text here. Click to load it

Use my Multi-AV Scanning Tool and start with the Trend Micro module.

You may have a legit DLL that's been trojanized.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: search results get redirected


Quoted text here. Click to load it

Have you tried tdsskiller?


--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: search results get redirected

Dustin wrote:
Quoted text here. Click to load it

Second that, tdsskiller has a good chance of getting this type of bugger.

http://support.kaspersky.com/viruses/solutions?qid=208280684




Re: search results get redirected

gaz wrote:

Quoted text here. Click to load it

I tried it and it didn't find anything either.  The closest one to
actually doing anything is Hijack This which can read it but tells me
it's locked.

The HOSTS file remains hidden/invisible in the directory and I can't
get it despite being the administrator and having all files be visible.
The directory shows 4 icons inside, but the command line tells me there
is 5.  Search results continue to get redirected when using IE or
Chrome.  Doesn't Chrome share many network options with IE?  I can't
remember if Firefox is affected.  If the issue is a HOSTS file then
Firefox should be no different.  I'll mess around with it some more
tonight hopefully.

Re: search results get redirected

On Tue, 19 Apr 2011 15:55:45 +0000 (UTC)

Quoted text here. Click to load it
    Aha, my suggestion.
    It found no suspicious startups or shells ?
Quoted text here. Click to load it
    Like I said before, download any linux live-cd (slax is OK, or
puppy), boot from it, and just navigate to the hosts file using the file
manager. You can do what you like, you will be root. Edit it, copy it
to a usb, delete it. Root is boss.
    []'s



Re: search results get redirected

Sh@dow, 4/19/2011,5:16:27 PM, wrote:

Quoted text here. Click to load it

Thank you for your suggestion.  I downloaded a Knoppix Live CD and made
a disc out of it.  I booted from the disc and navigated to the
c:\windows\system32\drivers\etc directory and sure enough there was the
HOSTS file.  It was filled with all versions of Google, Yahoo, Bing
domains and all pointing to one particular IP address.  Hijack This!
identified all those entries in the HOSTS file but couldn't delete
them.  I deleted the file, rebooted to Windows and downloaded a new
HOSTS file from the MVPS website.  The system seems to be working okay
tonight but I will cross my fingers and check again tomorrow.

Re: search results get redirected

REMOVETHISbadgolferman@gmail.com says...
Quoted text here. Click to load it

One of the latest malware does this, on a machine I recently saw that
was infected it was a fake ESET.EXE antivirus program.

On that same machine, before fixing the host file, MBAM removed some
1800 trojan/fake items.

In order to access the HOST file I had to change the VIEW options to
show Hidden and System files, and open the COMMAND prompt under an Admin
account, browse to it via the command prompt and then use the manual
delete command. Even with UAC turned off, while windows explorer could
see it, it could not be deleted via the GUI.


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: search results get redirected

Leythos wrote:

Quoted text here. Click to load it

Hello Leythos,

This HOSTS file was NOT visible from the command line nor from Windows
Explorer with all options enabled and logged in as an administrator
although not as THE Administrator.  However I knew it was there because
the command line was telling me there were 5 objects in the directory
and Hijack This! could read the file.  The other spyware cleaners or
anti-virus programs never even made a peep about the HOSTS file, maybe
because it was hidden and locked.

Re: search results get redirected

REMOVETHISbadgolferman@gmail.com says...
Quoted text here. Click to load it

I have never seen the host file hidden AND locked from the administrator
on any windows computer, such that an administrator could not access it.
I've seen it blocked from delete by malware.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: search results get redirected


Quoted text here. Click to load it

NTFS file permissions had to have been in play here. Or, he still has
something which was hiding the hosts file.


--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: search results get redirected


Quoted text here. Click to load it

The interface is the same, but if you google file assasin, you'll see
its an older program which uses direct API calls to lock onto and
delete the file of your choosing. It works in many cases, but I don't
recommend you just willynilly targetlock and fire. [g]


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: search results get redirected


Quoted text here. Click to load it

It sounds like something used NTFS file permissions on the hosts. file;
that could prevent you from doing anything with it unless you used the
account it was configured for. You can override this of course, but.. if
you don't know it's been done you aren't going to check that aspect.






--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: search results get redirected

badgolferman wrote:
Quoted text here. Click to load it

As you probably already know, you haven't addressed what put it there,
and what hid and protected it under Windows. You likely still have work
to do even though one symptom has been addressed.

Re: search results get redirected

On Tue, 19 Apr 2011 22:50:09 -0400, "badgolferman"

Quoted text here. Click to load it
    Glad to hear it worked. The IP address could be a giveaway as
to the name of the malware, you could have given it to us, munged.
(like two hundred dot one three eight dot, etc).
    Anyway, whatever put it there altered explorer shell and other
stuff. Probably has an autorun.inf in c:, or a run= command in
registry, or some kind of browser hook. Sure hijackthis didn't find
anything ? The malware is still there, somewhere.
    PS - rename hijackthis.exe to something like notepad.exe.
Sometimes does the trick. I'd also run superantispyware portable and
malwarebytes just to be sure. In that order.
    []'s

Re: search results get redirected

Shadow wrote:

Quoted text here. Click to load it


Hijack This told me of the HOSTS file and even displayed the contents,
but when I tried to delete the entries it was powerless to do so,
presumably because it was protected.

I believe the culprit has been corralled because the computer was
cleaned a few weeks ago by either MBAM or SAS.  It just never restored
the HOSTS file.

My problem was much like this article but with a different IP address
than shows in the example.  If I get a chance I'll post the actual
address later on.

http://superuser.com/questions/104792/windows-xp-hosts-file-has-been-tampered-with

Re: search results get redirected


BIG SNIP
Quoted text here. Click to load it

Install WinPatrol to protect the hosts file and the registry, and a
lot of other good things.
--

Re: search results get redirected

On Wed, 20 Apr 2011 16:25:59 +0000 (UTC), "badgolferman"

Quoted text here. Click to load it
    I just got a horrible idea. If you googled hijackthis and the
antimalware programs , while you had your hosts file altered, you
could have been redirected to and downloaded false files.
    Depends on how thorough they were with your hosts file.
    Know how to use an MD5 ?
    http://free.antivirus.com/hijackthis /
    Download the one on the right, marked "executable"
    hijackthis.exe 388.608 bytes
    MD5 9A2347903D6EDB84C10F288BC0578C1C
    Correct ?
    []'s

    I had a terrible job once, altering a registry key as
administrator. I finally managed by booting into safe-mode.
I also had to remove some autorun.inf files using a linux live disk.
Untouchable (and invisible) for administrator.
    
    

Re: search results get redirected

4ax.com:

Quoted text here. Click to load it

You could also have used a bartpe disc, booted into native NT, mounted
the systems local (software if you need to meddle with windows, SAM if
you need to override a lost password, system if you need to remove some
bad driver information) registry hive and edited it; and then saved the
results back to disc. You can also change NTFS permissions and reclaim
files which have been taken from you. The ehh, untouchable and invisible
ones. <G>



--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Site Timeline