Google/Bing malware hijack

[Cousi]

There is a new malware program out there that hijacks traffic from Google or Bing so that when you click on a link in a search result, you get redirected. It's a pain to remove; the only one that can do it that I know of is MalwareBytes which leads me to certain thoughts but I digress. If you download and install MalwareBytes it will remove it but you'll have to remove the redirect from your hosts file, or you'll never reach Bing or Google. PM me if you need help with this (or I could post the process here if enough people want it).

[Major Eaton]

(or I could post the process here if enough people want it).

Yes, please.

[Cousi]

Okay some basics first: DNS is Domain Name Service and its the human readable portion of the web like thefedorachronicles.com. DNS points to the IP address of the website you're going to, so say thefedorachronicles.com's IP is 1.2.3.4 (it isn't), the web's global DNS will point all requests for thefedorachronicles.com to that numerical address. Your Hosts file is like a local DNS for your machine: anything listed in the Hosts file will be where your browser goes regardless of how the web's global DNS dictates so if you have thefedorachronicles.com listed in your Hosts file as going to 5.6.7.8, that is where your browser will take you no matter what.

On windows (I believe this is the same location for Win 7 and XP) the Hosts file is a secure file located at C:\Windows\System32\Drivers\ETC. You'll have to change your folder options to display hidden files and folders in order to see it if you're using the graphical interface. Double-click on it and open it with Notepad - DO NOT CLICK ALWAYS OPEN WITH THIS PROGRAM! Once it's open it will have this header:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

Everything behind the pound sign (#) will not be used by the web, as indicated. After this header you may see some entries displayed like this:

93.240.173.92 google.com

You want to delete any entries for google or bing - the malware created these entries to direct traffic where they want it. You can leave everything else alone. This part is important; when saving, click on File>Save As. Then change the "Save as type" to "All Files" before clicking save. If you don't, Notepad will default to saving it as a .txt file, which won't do anything except take up space.

I should point out you have to remove the malware first, or it will just replace the entries next time you open a browser. Some signs of this malware being present are a general slowness of the browser, especially when first opening or when going to a specific page.

Let me know if you have any problems or questions.

[Super Ordinary Guy]

Thanks Cousi... You Da Man....

Hopefully some of the other software programs will update to be able to clean this up soon.....

But your after removal tips are great, Thanks again......