[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

All search engines blocked

NOTE: This is not about the common search engine redirect infection.

The issue is with a Windows XP Pro 32-bit machine inside a Windows Server 2003 domain. No other computers on the network have any issues so it is not the firewall or server.

The problem with this XP computer is that after getting infected by some trojans, malware, etc., I could no longer access any search engines (Google, Yahoo, Bing, etc). I will repeat that I don't have the common fake search result redirection issue, these websites are simply not available at all. I also know that it is not a browser issue, because I have cleared all settings on all browsers and I have even downloaded new browsers that were never installed before, such as Chrome and Opera but still no luck getting to those few websites. I don't have a Hosts file inside Windows\System32\drivers\etc so I don't think it is related to that file.

By the way, all infections have allegedly been removed per AVG Pro, Hitman Pro 3.6, Malware Bites Full trial version and ESET online scanner. System restore is not working for any available restore points, so it is not an option. And of course I know reinstalling the OS is an option, please don't suggest that. Thanks.
0
kinecsys
Asked:
kinecsys
  • 3
  • 3
  • 2
  • +3
2 Solutions
 
AnuroopsunddCommented:
run hijack this and check if there are still some thing their which may be making the issue. remove them if you think that can be issue.

also reset tcp/ip and winsock with below commands
netsh int ip reset c:\resetlog.txt
netsh winsock reset
0
 
dbruntonCommented:
>>  I don't have a Hosts file inside Windows\System32\drivers\etc

So where is your hosts file?

See http://mihaiu.name/2005/windows-hosts-file-ignored/ and check where it is.  Might be another hosts file somewhere you don't know about.
0
 
flubbsterCommented:
I agree. Either your hosts file has been moved, it is hidden and you did not set to view hidden and system files, or it's location was modified in the registry.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Kyle DaviesRetail Software SpecialistCommented:
Have you tried pinging google, yahoo and any other site to see if you have access to the internet, there could be something blocking you.
0
 
kinecsysAuthor Commented:
I'll reply to others a bit later...

Kyle_Davies: I did try pinging those sites by name and they are unreachable. Other domain names are reachable as always. Does that tell you anything?
0
 
flubbsterCommented:
Still think it is the hosts file. Did you set the system to view hidden and system files?

Download and run this hosts file unlocker:

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Look in the registry for the currently set location of the hosts file per the post above. If it is anywhere other than c:\windows\system32\drivers\etc, then it needs to be changed.
0
 
kinecsysAuthor Commented:
Flubbster: I won't have access to the machine until a few hours from now, but I'll let you know how that unlocker works out. Last I messed with it, I found out that the hosts file was in the right location but it was set as a hidden system file. However I was able to rename it and create a new one in the right location but that didn't fix anything. May be worth noting that the altered hosts file didn't have any entries in it other than the usual 127.0.0.1 localhost and ::1 localhost, so even though it was hidden and locked (I could rename it but not delete it), I don't think it was doing anything.
0
 
Kyle DaviesRetail Software SpecialistCommented:
I agree with flubbster it can only still be your hosts file have you tried putting your routers ip address in your dns settings?
0
 
Sudeep SharmaTechnical DesignerCommented:
How about running the RogueKiller or TheKiller for fixing the host file related issue.

Further did you tried TDSSKiller yet?

IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM - TheKiller
http://www.experts-exchange.com/A_1995.html

I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned:
1. RogueKiller
2. MalwareBytes
3. TDSSKIller

I would also recommend you to go through the articles from Younghv and RPG for the links of the tools and for the future reference

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/A_3299.html

I hope that would help.

Sudeep
0
 
flubbsterCommented:
Some malware creates a hosts file that is completely inaccessible by normal means which replaces the original. I've seen cases where the original was in place but was not the actual one being used.
0
 
kinecsysAuthor Commented:
So it was the hosts file but at the end I was unable to fix it because it got to the point where I couldn't log in to Windows even in safe mode.

Half the points go to dbrunton for being the first to mention the hosts file and the other half go to flubbster for suggesting that it could have been converted to a hidden system file.

Those two answers lead me to pinpoint the problem.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now