No idea???? Are you on a networked computer? Is there anything about your computer which is different from my old, poor standalone machine sitting in the corner? If not then why is that entry there?
Heres what you can do. Backup your hosts file to another location, then edit it in notepad so its identical to the one I posted and let that be the hosts file on your hdd. Let us know.
sometimes i connect it to my school's network
Look I'm not the greatest in this area, but that hosts file looks suspicious to me. It should at least have a localhost entry, so I repeat, back it up somewhere, then edit the file to default, save and see whether you connect properly.
Also that ip address, why is it in the 169 range? Check your own ip address, in command prompt type ipconfig, hit Enter, is it 192... or 169...?
ran ipconfig, said my IPv4 was a 192. bubbayoshi-pc is how my laptop shows up on the school network, now that i think about it
I've helped 4 people with the Google redirect virus thing .. they were all on XP 32bit, so I don't know it'll work for W7 x32 or x64. I tried everything, and nothing seemed to detect it or fix it .. until I found ComboFix from bleepingcomputer, and it cleared it right up.
I fixed this on a friends computer. You need to download "rkill" and run it in safe mode. Do not restart the computer, while still in safe mode run MBAM.
He had a virus/malware called "Antivirus8", this was on Windows XP however.
Be careful using Combofix
It will reset the host file but this is safer
HostsXpert
Can you please download HostsXpert from http://www.funkytoad.com/index.php?option=com_content&id=13
Run it. When it opens, click on the Restore Original Hosts button and then exit HostsXpert.
This will reset your host file back to the default one,
A HOSTS file reset may not work.
I have been having the exact same problems as Bubbayoshi for the last four days now.
It all started just after my wife noticed that "whitesmoke translator" crap was installed on our computer in the background. She removed the program successfully and ran virus and spyware scans to be sure she got it all (at that point nothing else was found by the scans). After removing "whitesmoke translator" IE would not open at all when clicking the shortcut or trying to run the program by going to the run command and entering "iexplore.exe".
I installed Google chrome and Firefox, both gave me the same issue, they would not open at all.
I went and manually updated MBAM and Nod32 (I have the paid version of both) so they were on the latest signature database versions and ran both again. I found some scraps of an "anti malware doctor" infection with MBAM and seven infected registry entries from Java with Nod32. I removed all of those and now my web browsers will load properly but every time I use Google to search anything on IE, Chrome, and Firefox I am redirected to "cr0zybaner .com" when I click on any search result.
I dug around for a VERY long time and created a custom block list for PeerBlock containing all of the IPs associated with "cr0zybaner .com" AND its affiliated companies and web sites thinking that if I block traffic all together to those IPS and have it blocked in my HOSTS file I could get around the redirect. That was my problem, I was thinking (and now my head really hurts).
I have tried everything in this thread and most things in other threads and nothing has worked. The last thing I tried was suggested on another forum.
I went to http://www.mvps.org/***********/hosts.htm and followed all the instructions there for completely replacing the HOSTS file, I even added the entry "127.0.0.1 cr0zybaner. com" to the HOSTS file so it would be completely blocked as suggested and all I get is "page cannot be displayed" (which is a step up from being completely redirected to the site) when clicking on a result in Google search.
I ran hijack this and did not see anything out of the ordinary, I recognize everything in the report as being normal for my computer but I will include the report for your review in case I have missed something.
I have had varying degrees of this problem on my network. So far I have a custom build Windows XP Home desktop that I was able to (as far as I can tell) fix the problem completely on, an Acer Aspire One netbook that I ended up reformatting because it was so bad off anyways, an Acer Aspire 5000 laptop that does not seem to have been effected at all, and the main computer (the one that I am currently having the most problems on) a custom build Windows 7 Pro desktop.
Just to recap:
1) I ran MBAM and Nod32 (both completely up to date and the paid versions); no infections found pertaining to this issue.
2) I completely reset IE (which was successful but did not fix the issue).
3) On the “Google Redirect Virus Removal - How to Manually Remove Google Redirect Virus” I followed all the steps again (I had pretty much gone through all that before checking online for a solution to this issue)
4) On the “Google Redirect virus walkthrough” I used the “Windows Malicious Software Removal Tool November 2010” and it came up completely clean.
5) Currently I am running the “A-squared” software recommended on the “Google Redirect virus walkthrough” (with beta updates on the off chance a beta signature database would at least find the problem so I would know where to go next).
6) Completely replaced the HOSTS file, adding "127.0.0.1 cr0zybaner. com" to the file as suggested here: http://www.questionhub.com/YahooAnswers/20101121115404AAhrqjB
I do not mean to sound so long winded, I am just hoping that if I list absolutely everything I have done that someone will be able to suggest something I have missed or possibly narrow down the list of things that could be done next.
At this point I am tempted to format reload and just be done with this but I am hoping that I can find a good solution to this problem since it seems to be more prevalent as the months go by and I work with computers as a business (at the very least I would be able to provide a proper solution to customers experiencing the same issue).
I greatly appreciate any help or suggestions anyone can offer.
Sorry, forgot to include the Hijack This log in my previous post.
Code:Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:17:39 PM, on 11/28/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16671) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe C:\Program Files\ASUS\PC Probe II\Probe2.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\PeerBlock\peerblock.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ASUS\AASP\1.01.02\aaCenter.exe C:\Program Files\RealVNC\VNC4\vncclipboard.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: SMTTB2009 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\WebScout Toolbar\tbcore3.dll O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll O3 - Toolbar: WebScout Toolbar - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files\WebScout Toolbar\tbcore3.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Users\owner\AppData\Local\Temp\E_S159D.tmp" /EF "HKCU" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 7492 bytes
Can you please download and run this TDSSKiller.exe
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
Let us know if it finds anything,
Quote