How to deal with browser hijacking?

Get MalwareBytes, run a full scan, and remove anything that it comes up with.

Yep, Malwarebytes. is the next step after Avast.

The free version does not run in the background like Avast, you need to run it occasionally.

Superantispyware also does a good job, worth a go.

Boot up in safe mode and then run Malwarebytes and your anti-virus program:

Personally, I have had great luck with Spybot S&D and it’s resident shield. I prefer real-time protection over stuff that needs to be actively run in order to remove infections that have already taken root.

Thanks, everyone. I ran avast on “boot-type scan” mode; would that do the same as running it on safe mode?

Alas, I tried malwarebytes on safe mode, and it didn’t find anything.

I’ll have to try Spybot and see what happens…

OK, here’s some more info. I ran Spybot and it detected multiple browser redirects. However, when it tried to fix them, I got a message saying “Cannot create file C:\WINDOWS\system32\drivers\etc\hosts. Access Denied.”

Help! :-( Please…

Sounds like you got a nasty one! I assume that you are running Spybot as an Administrator, or allowing Spybot to do so. If not, there are some system files that you won’t be allowed to alter. If you are and it still gives that error, you need to go in and reset the permissions on that file.

Did you try “HijackThis!”? If you are comfortable or savvy working with the Registry I found that very good in hunting down nasties. You can buy “Perfect Uninstaller” it worked pretty good forme finding programs that hid from windows. Once you get the bug out of there I found Spybot, Adware by Grisoft, AVG, or ZoneAlarm using any three in a triple security cocktail keeps all the bugs out. ZoneAlarm is a bit buggy and annoying to use at the beginning until it learns your habits and usual sites, but at lest you know it is working because it is nagging the hell out of you.

If you could you might try searching for an earlier restore point before the hijack and see if you can boot to that, also worked for me in the past.

Like @jerv said, it sounds like a permissions issue on the hosts file.

- It sounds basic, but do you still have the hosts file open? That may not allow it to be written to.
– when you make changes manually, are you able to save and are the changes reflected?
– I don’t think browsers lock the file, but may be a good idea to close them as well

Do you have anything meaningful in the hosts file? For example, mine is just the comments up top and one entry for 127.0.0.1 to localhost.

If yours is similar it may be worthwhile to just delete and recreate it.

The hosts file wasn’t open—I couldn’t even find it at first.

I think I got it now, though. I ran Spybot in safe mode, found the “hidden” hosts file, then used the File Assassin part of Malwarebytes to delete it. Then I recreated the hosts file, and so far, so good.

Thanks, all!

I would also install Firefox for them and encourage them to use it instead of IE. Since it’s open source, security vulnerabilities tend to get fixed very quickly.

Yes, Firefox.

Third vote for Firefox.

Excellent suggestion! thanks

I’ve been using it since before it was called Firefox and haven’t had that sort of issue yet. A lot of malware is written to exploit IE.