General Question

Dr_Dredd's avatar

How to deal with browser hijacking?

Asked by Dr_Dredd (10528points) March 20th, 2011

I’ve been trying to debug my parents’ computer, which has windows XP. They’re using internet explorer (yeah, I know, not the best choice, but that’s what they’ve got), and IE started sending them to random sites when they clicked on various links. I used avast! antivirus software and edited the hosts file, and things have improved, but they’re still not back to normal.

Then I got the idea to look at the C:\WINDOWS\system32\drivers\etc folder, where the hosts file is located. According to the folder properties, there are 6 files inside the folder, but only five actually are visible. Even setting folder options to “view hidden files” doesn’t make the 6th file visible. So, my questions are:

1.) Is it possible to have a ‘hidden’ hosts file that’s actually controlling the hijacking?
2.) If so, how does one find it and get rid of it?
3.) If that’s not the case, any other suggestions on what I can do to stop the browser hijacking?

Observing members: 0 Composing members: 0

17 Answers

MyNewtBoobs's avatar

Get MalwareBytes, run a full scan, and remove anything that it comes up with.

jaytkay's avatar

Yep, Malwarebytes. is the next step after Avast.

The free version does not run in the background like Avast, you need to run it occasionally.

auntydeb's avatar

Superantispyware also does a good job, worth a go.

augustlan's avatar

Boot up in safe mode and then run Malwarebytes and your anti-virus program:

jerv's avatar

Personally, I have had great luck with Spybot S&D and it’s resident shield. I prefer real-time protection over stuff that needs to be actively run in order to remove infections that have already taken root.

Dr_Dredd's avatar

Thanks, everyone. I ran avast on “boot-type scan” mode; would that do the same as running it on safe mode?

Alas, I tried malwarebytes on safe mode, and it didn’t find anything.

I’ll have to try Spybot and see what happens…

Dr_Dredd's avatar

OK, here’s some more info. I ran Spybot and it detected multiple browser redirects. However, when it tried to fix them, I got a message saying “Cannot create file C:\WINDOWS\system32\drivers\etc\hosts. Access Denied.”

Help! :-( Please…

jerv's avatar

Sounds like you got a nasty one! I assume that you are running Spybot as an Administrator, or allowing Spybot to do so. If not, there are some system files that you won’t be allowed to alter. If you are and it still gives that error, you need to go in and reset the permissions on that file.

Hypocrisy_Central's avatar

Did you try “HijackThis!”? If you are comfortable or savvy working with the Registry I found that very good in hunting down nasties. You can buy “Perfect Uninstaller” it worked pretty good forme finding programs that hid from windows. Once you get the bug out of there I found Spybot, Adware by Grisoft, AVG, or ZoneAlarm using any three in a triple security cocktail keeps all the bugs out. ZoneAlarm is a bit buggy and annoying to use at the beginning until it learns your habits and usual sites, but at lest you know it is working because it is nagging the hell out of you.

If you could you might try searching for an earlier restore point before the hijack and see if you can boot to that, also worked for me in the past.

funkdaddy's avatar

Like @jerv said, it sounds like a permissions issue on the hosts file.

- It sounds basic, but do you still have the hosts file open? That may not allow it to be written to.
– when you make changes manually, are you able to save and are the changes reflected?
– I don’t think browsers lock the file, but may be a good idea to close them as well

Do you have anything meaningful in the hosts file? For example, mine is just the comments up top and one entry for to localhost.

If yours is similar it may be worthwhile to just delete and recreate it.

Dr_Dredd's avatar

The hosts file wasn’t open—I couldn’t even find it at first.

I think I got it now, though. I ran Spybot in safe mode, found the “hidden” hosts file, then used the File Assassin part of Malwarebytes to delete it. Then I recreated the hosts file, and so far, so good.

Thanks, all!

gorillapaws's avatar

I would also install Firefox for them and encourage them to use it instead of IE. Since it’s open source, security vulnerabilities tend to get fixed very quickly.

RocketGuy's avatar

Yes, Firefox.

augustlan's avatar

Third vote for Firefox.

Dr_Dredd's avatar

Excellent suggestion! thanks

jerv's avatar

I’ve been using it since before it was called Firefox and haven’t had that sort of issue yet. A lot of malware is written to exploit IE.

Response moderated (Spam)

Answer this question




to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
Knowledge Networking @ Fluther