Hosts file hijacked

This system had a fake anti-virus program. I used System Restore to 3/1/11. However Hijackthis can't remove the  following has been found on a Windows XP system located at c:\WINDOWS\System32\drivers\etc\hosts

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
74.50.127.5 www.google.com
74.50.127.5 www.google.com.au
74.50.127.5 www.google.be
74.50.127.5 www.google.com.br
74.50.127.5 www.google.ca
74.50.127.5 www.google.ch
74.50.127.5 www.google.de
74.50.127.5 www.google.dk
74.50.127.5 www.google.fr
74.50.127.5 www.google.ie
74.50.127.5 www.google.it
74.50.127.5 www.google.co.jp
74.50.127.5 www.google.nl
74.50.127.5 www.google.no
74.50.127.5 www.google.co.nz
74.50.127.5 www.google.pl
74.50.127.5 www.google.se
74.50.127.5 www.google.co.uk
74.50.127.5 www.google.co.za
74.50.127.5 www.bing.com
74.50.127.5 search.yahoo.com
74.50.127.5 uk.search.yahoo.com
74.50.127.5 ca.search.yahoo.com
74.50.127.5 de.search.yahoo.com
74.50.127.5 fr.search.yahoo.com
74.50.127.5 au.search.yahoo.com
74.50.127.5 www.google-analytics.com


Any assistance at removing this problem will be greatly appreciated.
Answer
Answer
The hosts file is a read only, hidden system file.  It is just a text file that you can manipulate with WordPad, Notepad or any text editor.  Before modifying the hosts file, make a copy of the current one in case you need to restore the original.

You may be able to create a new or reset your hosts file with help from Microsoft:

http://support.microsoft.com/kb/972034  (this did not work as expected the last time I tried it).

If you use the Microsoft Fix It button, you will have no hosts file when you are done (which is not necessarily a bad thing) so you may just want to read and follow the instructions for how to fix it yourself.

Some third party software scanning tools (like Spybot) can optionally add entries to the hosts file on purpose to block your browser from loading certain WWW sites entirely or block advertisements from certain WWW sites.  They claim to have a list of sites that most people would like to block and insert them into your hosts file for you.  You can always remove entries in the hosts file by hand if desired.

Malicious software can also add entries to the host file to redirect your browser to some other WWW site than the one you would really like to visit.  

For example, if you try to browse to www.google.com, you may end up on some WWW site that is inappropriate or just an advertisement for a product you never heard of and don't want.  Your browser will always be redirected away from www.google.com until you fix the hosts file.

The malicious software can also modify your hosts file to block your browser from going to Internet sites where you might find a solution for how to remove the malicious software.  The malicious software sometimes knows what you are going to do to try to find and remove it, so it will prevent you from doing so.

If your hosts file has been manipulated by malicious software, editing the hosts file will not remove the malicious software.  You will still need to scan your system with software tools to be sure the malicious software is entirely gone.

Malicious software scanning tools may also remove the malicious software and leave the bad entries in the hosts file.  The scanning tools cannot tell if entries in the hosts file were made on purpose or by malicious software so you still may need to edit the hosts file by hand if browser redirection occurs after the malicious software has been removed.

Some scanning tools will report modifications to the hosts file as suspicious and allow you to review the changes and let you decide if the changes are appropriate or not and take action.

Scanning tools sometimes cannot tell if entries in the hosts file were put there by malicious software or you put them there on purpose so may not report any issues with the hosts file.  That does not mean the hosts file has not been adjusted by malicious software.

A hosts file is not required for your browser to function.  If you suspect an issue with the hosts file you can rename the hosts file and test your browsing without it.

Always reboot your system and test browsing after making any changes to the hosts file.

To manipulate the hosts file, you must make hidden files unhidden and remove the Read Only attribute from the hosts file.

In Explorer, navigate to the following folder (assuming Windows is installed on your C drive):

c:\windows\system32\drivers\etc

Click Tools. Folder Options, View.  In Advanced Settings, enable (tick) the radio button for:

Show hidden files and folders

Click OK.

The hosts file has no extension but some system files do have extensions and it may be helpful to also see the file extensions for all the files.  While you are adjusting folder View options, make file extensions visible.

Click Tools, Folder Options, View.  In Advanced Settings, put a check mark (tick) in the box:

Hide extensions for known file types

Click OK.

Now the hosts file should be visible.

Make a copy of the current hosts file and name the copy something you can remember so you can find it later and undo any changes if the changes do not work or things get worse.

The host file is usually a read only file, so to edit it, you must remove the Read-only attribute:

Right click the hosts file, Properties, uncheck the box that says:

Read-only

Click OK.

Now you can edit the hosts file with any text editor.  Be sure to save the hosts file after making any changes.

You will have to decide what is appropriate for your hosts file.  The default hosts file only has one entry (and a lot of comments) so if you suspect the hosts file is part of your issue, you can delete everything but the default entry and save the file.

Always reboot your system and test browsing after making any changes to the hosts file.

You should make the hosts file Read-only again when you are finished making changes.  Obviously some programs or malicious software do not pay attention to the attributes of a Read-only file, but it is good practice for
the hosts file to be Read-only.

If desired, reverse the Explorer changes to hide system files and extensions for known file types.

If you feel your hosts file is beyond repair, replace the contents with the Windows default values.

The default hosts file for Windows XP looks like this:



# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


There are places on the Internet for you to download information for your hosts file that is based on what other people think your hosts file should block or allow for your Internet browsing.  Sometimes that works out okay, but you should now know more about manipulating the hosts file so you can decide what is best for your environment.

Here is some additional reading about how to manipulate your hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

Here is a friendly tool with a graphical interface (GUI) to help you work on your hosts file:

http://www.funkytoad.com/index.php?option=com_content&id=13

6 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Answer
Answer
Go to that file / open the hosts file with notepad, then delete the entries then save the hosts file again. Just remember to select save as all files first. Or get trojan remover install then run it. Update it then scan. Then select all options under the utilities menu. This will reset everything, inc the hosts file

5 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated November 28, 2020 Views 36,164 Applies to: