I don’t know what God I pissed off lately, but I’m once again in virus hell. It’s some sort of redirect virus that I think I’ve tracked down to a corrupted hosts file, but heck if I can fix it. Everything I try gives me “access denied.”
Here’s what’s going on:
a full scan with both MalWareBytes and Microsoft Security Essentials shows no viruses
I made sure the virus DBs were up to date on both MalwareBytes and MS Security Essentials
Clicking links from FireFox occasionally redirect to different sites. Sometimes they’re just advertising sites, but at least twice it’s been to a site that installs a bunch of malicious stuff. So far I’ve been able to clean it off using Malwarebytes.
If I open my hosts file, it has the typical stuff on the top, but then has a whole pile of empty space, and the following entries:
I’m reasonably sure this is my issue (right?)
Problem is, the #@!$#! thing has the hosts file locked down and I can’t do a thing to it other than view it. Everything I try results in “access denied.”
Here’s what I’ve tried so far:
from the command prompt “attrib -r -h -s hosts” and various alternatives (trying it with ., *., etc)
taking ownership of it by right clicking the folder and going through security and changing the ownership of the folder to my administrator account rather than TrustedInstaller
Yelling at the computer
booting into safe mode and trying all of the above again
Swearing at the computer
So what do I need to do to delete the stupid hosts file and recreate it?
I think I got it. Turning off the “Sharing Wizard” on the folder made it so I could remove those permissions. Now that’s logical!
Would still like to hear from people if they think the hosts file was indeed the problem. And any guidance/wisdom as to why, after going 20 years without a major virus attack, I’m suddenly getting viruses - 2 in the past 2 months. Blech.
And, for the record, before all you Linux and Mac users start telling me Windows is the problem, I can’t not use Windows. I’m a developer; the tools I use to work everyday are only available on Windows. Not using Windows is not an option for me.
One thing you also may want to do is remove any proxies in your browser(s).
Tools --> Options --> Advanced --> Network Tab --> “Settings” button in the “Connection” section. In there, make sure it is set to “No Proxy”.
Tools --> Internet Options --> Connections --> LAN Settings. Make sure that “Use a proxy server for your LAN” is unchecked.
Other browsers: No idea, figure out how to do it, though.
Buy Malwarebytes and keep it updated daily and running in protection mode. It is invaluable. $25 is a steal. (I am not an employee, just a very, very satisfied customer)
If you haven’t already done so, delete all old restore points. Some malware will reinfect the system from old restore points.
Delete all temporary files.
Check your task manager to make sure that there are no processes running that you don’t recognize. If you don’t recognize it, figure out what it is.
Look over all of the places that you regularly visit and make sure that you’re not getting malware through their ads or anything of that nature. (Doesn’t have to be a bad site… I’ve had attempted infections from a forum that I regularly visit)
Those entries in the hosts file would not cause the issues you’re having. It likely that they along with with others were added by malware but Malwarebytes removed the malicious entries. You may want to check your proxy settings in Firefox.
Clicking random links will occasionally take you to advertising sites when the domain name expired and was picked up by the host or a “entrepreneur”. That entrepreneur could also be in the malware business. Legitimate sites (such as SDMB) can host malware in its advertising. Is what you’re experiencing beyond that?
Interesting. It was set to “Use System Proxy” and I know I didn’t set that up.
I’m tempted - I’m pretty happy with them so far. I’ve been sticking with Microsoft Security Essentials and manually running malware bytes every few days or so, I might swap them.
Yup, done that.
Once again, that’s one of the first things I do. Heck, I do that all the time anyway, I hate all that stuff that gunks up my system.
Really? The way I’m reading those, they’re taking any call to (for example) google analytics and redirecting it to some weird IP address. Seems like a sneaky way to get various calls from legitimate websites to go to a site other than the one it was supposed to go to.
Yes. The redirects I was seeing were from legitimate web sites, including this one. For example, I’d click a thread title, and instead of going to the thread, I’d go to a totally different website advertising something (in the best case) or someplace that downloaded a fake anti-virus program and started putting up a gazillion messages that I was infected and please give me your credit card # to fix it.