Watch those hosts files!

I recently had the job of cleaning up a client’s computer that had become infected with various strands of malware and trojans. A few sweeps with SuperAntiSpyware (www.superantispyware.com) and MalWareBytes(www.malwarebytes.org) seemed to restore it to full health. However, I noticed that clicking on search results from Google was consistently diverting me to the same site which bore no relation to the original search terms.

I’ve seen this before, so I had a quick check on the HOSTS file located in \Windows\system32\drivers\etc. The HOSTS file is a hangover from Unix and is used to translate host names (e.g. www.google.com) into IP addresses. Normally, all it contains is a reference to the loopback address, localhost – 127.0.0.1, and on first inspection, this one was fine. But by going into Explorer, Folder Options, View and turning off “Hide extensions for known file types”, it became clear that the HOSTS file had been renamed to HOSTS.msn. The real HOSTS file had been hidden and was filled with entries for Google, diverting you to an alternate IP address.

I couldn’t delete the file, so I renamed it to HOSTS.bad and then renamed the HOSTS.msn to HOSTS. A quick reboot and Google searches were up and running.