Expert: Carolyn Meinel - 7/24/2009

Question
QUESTION: I have a browser hijacker that is continually redirecting me when I click on a link. I have scanned with McAfee, Panda, Spyware Doctor, Windows Defender, Ewido, and Malicious Software Removal Tool. They cannot find anything and Hijack This only finds acceptable things. I have also checked my IE add-on's and cleared cookies and temporary internet files. I run Windows Vista and Internet Explorer 8. What should I do now?

ANSWER: Thank you for trying out several antivirus programs first. This helps me by showing that this is an unusual problem and that we need to look for unusual solutions.

The hosts file on your computer might have been altered. Many Internet security programs fail to check the hosts file to see if it has been altered so as to redirect your browser.

Your hosts file should be located at C:\i386\HOSTS

To check it for infection, open this file in Notepad. To do this, double click on this file, this brings up the Open With menu, click Notepad and then click OK.

If this file is uninfected, it should look exactly like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com          # x client host

127.0.0.1       localhost

You can ignore any line with a "#" at the beginning, because these are just explanations of what this file is used for. The lines that affect your computer are the ones that don't begin with the "#".

So if you see ANYTHING other than "127.0.0.1       localhost" then this is an infection which causes your browser to go to the wrong website.

To get rid of any infected material, simply use Notepad to delete all the infected stuff from this file. Then save it by clicking file --> save.

Now if your host file was not infected, we have a more complicated problem. Here's what might work -- we can try the world's two top computer security programs and see if they can find the problem.

1) Download either Kapersky Internet Security, which offers a free 30 day trial at http://kapersky.com, or F-Secure's Complete Internet security suite, which offers a free thirty day trial: https://store.f-secure.com/cgi-bin/dlreg/ml=EN?ID=FSISTB&desid=TRIAL

2) Disconnect from the Internet.

3) Uninstall your current antivirus. This is absolutely essential because otherwise it and F-Secure or Kapersky will fight each other and might crash your computer. It isn't good enough to just turn off your old antivirus because it probably has been crippled by your virus infection.

4) Install your Internet Security product. Download any updates available.

5) Run a complete scan of your computer. Follow any instructions it might give you.

6) Reboot.

If this works, you can either keep your new Internet Security product or uninstall it and reinstall your old antivirus from either a download of the latest version from their website (if that's how they sell it) or from the disk it was on when you bought it. Be sure to get all the latest updates right away. Usually antivirus companies are pretty good about updating their programs whenever some new attack becomes able to evade or cripple their product.

If you weren't running an antivirus program that includes antispyware protection and a firewall, then I recommend that you not reinstall your old program. Nowadays we need total protection, and this includes antispyware and a firewall.

7) To prevent future infections, don't use Internet Explorer, as it is susceptible to introducing viruses, adware and spyware into your computer. Instead you could use Firefox, free from Mozilla.org . Instead of using Outlook for email, you could use Thunderbird, free from Mozilla.org, or Eudora, free from Eudora.com .

---------- FOLLOW-UP ----------

QUESTION: The host file is clean. Kaspersky would not install because of incompatibility. F-Secure did not find anything. The hijacker is still alive and well. I can now only run my computer in safe mode. When I start it regular it instantly goes to the blue screen of death. Anymore ideas?

Ps thanks a lot for what you have done so far this is just a tough one.

ANSWER: Ouch! You do have a serious problem. The incompatibility problem with installing Kapersky, the inability of F-Secure to find anything, and those blue screens of death, almost certainly mean that your computer must be infected with an extremely rare -- but buggy -- malicious program.

Before you do ANYTHING ELSE, please back up all your data. Also, if you have been using a credit card online or accessing any of your financial accounts online, it would be a good idea to get them to provide current records of your transactions, and use your telephone to change your passwords. If you use a dialup phone line to access the Internet, get a current record of your phone bills in case this infection has been dialing expensive 900 numbers or foreign phone numbers without your knowledge. If you find anything abnormal, be sure to complain in writing and via phone both and do so immediately so you can get those unapproved transactions reversed.

Next, here is something easy that might work, but is not likely to work,unfortunately. Try going back to before this all began with System Restore.

If this doesn't work, you will have to "nuke" your computer. This is what a computer repair shop would do. To nuke your computer, you will use the installation disks that came with it (or with some manufacturers there is a hidden partition on the hard drive that can restore your factory settings). Whether restoring factory settings from installation disks or a partition on the hard drive, you must choose the option to reformat the hard drive first. The repair option will almost certainly not work. This will destroy all your data and all programs you installed since buying the computer. However, it also will get rid of the infection.

Please let me know if this doesn't work. The only other possibility I can think of is a hardware error, but so far what you describe looks like an infection with a particularly dangerous malicious program.

---------- FOLLOW-UP ----------

QUESTION: System Restore is turned off on this machine. However I have some good news. While in safe mode I tried to uninstall some programs but windows installer was turned off; so I turned it on which made the computer go to the blue screen. I then decided to try disabling the Win Installer service and have since been running in normal mode with no issues. The hijacker is still here but I am reluctant to nuke it as long as it will run. Unfortunatly this good news just adds to the mystery of it all. I still cannot understand how the hijacker runs invisibly. Any thoughts?

Answer
Your evidence points toward a malicious program of considerable rarity and sophistication running on your computer. If it were my computer, I would nuke it right away because we don't know all the things that malicious program might be doing with your computer, or who controls that malicious program.

If you don't nuke your computer, I strongly advise you to never use a credit card on the Internet, don't access your bank account or other financial information from your computer, and never store information about yourself on your computer that could be used in identity theft.

If you don't nuke your computer, then here is what you could do to get around your browser problem. Install either the Firefox browser, free from www.mozilla.com, or the Opera browser, free from www.opera.com. Both of these are resistant to hijacking.