How to deal with browser hijacking?
Asked by
Dr_Dredd (
10540)
March 20th, 2011
I’ve been trying to debug my parents’ computer, which has windows XP. They’re using internet explorer (yeah, I know, not the best choice, but that’s what they’ve got), and IE started sending them to random sites when they clicked on various links. I used avast! antivirus software and edited the hosts file, and things have improved, but they’re still not back to normal.
Then I got the idea to look at the C:\WINDOWS\system32\drivers\etc folder, where the hosts file is located. According to the folder properties, there are 6 files inside the folder, but only five actually are visible. Even setting folder options to “view hidden files” doesn’t make the 6th file visible. So, my questions are:
1.) Is it possible to have a ‘hidden’ hosts file that’s actually controlling the hijacking?
2.) If so, how does one find it and get rid of it?
3.) If that’s not the case, any other suggestions on what I can do to stop the browser hijacking?
Observing members:
0
Composing members:
0
17 Answers
Get MalwareBytes, run a full scan, and remove anything that it comes up with.
Yep, Malwarebytes. is the next step after Avast.
The free version does not run in the background like Avast, you need to run it occasionally.
Superantispyware also does a good job, worth a go.
Boot up in safe mode and then run Malwarebytes and your anti-virus program:
Personally, I have had great luck with Spybot S&D and it’s resident shield. I prefer real-time protection over stuff that needs to be actively run in order to remove infections that have already taken root.
Thanks, everyone. I ran avast on “boot-type scan” mode; would that do the same as running it on safe mode?
Alas, I tried malwarebytes on safe mode, and it didn’t find anything.
I’ll have to try Spybot and see what happens…
OK, here’s some more info. I ran Spybot and it detected multiple browser redirects. However, when it tried to fix them, I got a message saying “Cannot create file C:\WINDOWS\system32\drivers\etc\hosts. Access Denied.”
Help! :-( Please…
Sounds like you got a nasty one! I assume that you are running Spybot as an Administrator, or allowing Spybot to do so. If not, there are some system files that you won’t be allowed to alter. If you are and it still gives that error, you need to go in and reset the permissions on that file.
Did you try “HijackThis!”? If you are comfortable or savvy working with the Registry I found that very good in hunting down nasties. You can buy “Perfect Uninstaller” it worked pretty good forme finding programs that hid from windows. Once you get the bug out of there I found Spybot, Adware by Grisoft, AVG, or ZoneAlarm using any three in a triple security cocktail keeps all the bugs out. ZoneAlarm is a bit buggy and annoying to use at the beginning until it learns your habits and usual sites, but at lest you know it is working because it is nagging the hell out of you.
If you could you might try searching for an earlier restore point before the hijack and see if you can boot to that, also worked for me in the past.
Like @jerv said, it sounds like a permissions issue on the hosts file.
- It sounds basic, but do you still have the hosts file open? That may not allow it to be written to.
– when you make changes manually, are you able to save and are the changes reflected?
– I don’t think browsers lock the file, but may be a good idea to close them as well
Do you have anything meaningful in the hosts file? For example, mine is just the comments up top and one entry for 127.0.0.1 to localhost.
If yours is similar it may be worthwhile to just delete and recreate it.
The hosts file wasn’t open—I couldn’t even find it at first.
I think I got it now, though. I ran Spybot in safe mode, found the “hidden” hosts file, then used the File Assassin part of Malwarebytes to delete it. Then I recreated the hosts file, and so far, so good.
Thanks, all!
I would also install Firefox for them and encourage them to use it instead of IE. Since it’s open source, security vulnerabilities tend to get fixed very quickly.
Excellent suggestion! thanks
I’ve been using it since before it was called Firefox and haven’t had that sort of issue yet. A lot of malware is written to exploit IE.
Response moderated (Spam)
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.