Windows XP - Hosts file has been tampered with
Solution 1
Microsoft has this tutorial for you:
How do I reset the hosts file back to the default?
If necessary, do this in Safe Mode.
Solution 2
You've got a virus, or some other intruder. My advice is to backup, disconnect from the Internet, reformat and reinstall your operating system. Consider your Wordpress password (and indeed, all of your other passwords you may have recently typed into that computer) compromised; whatever software is rewriting your hosts file may contain a key logger.
You might consider disconnecting that machine from the Internet to research the symptoms and see if you can conclusively determine the source of intrusion, but I would strongly advise against using the computer for anything else in the meanwhile. Until it's disconnected, consider all your actions and the contents of that machine to be visible to some hostile 3rd party.
A quick check shows that the address in question is actually serving up Google's content more or less seamlessly, with the exception that they're using a self-signed SSL certificate. I would change all of your passwords, especially for google.com and gmail.
Solution 3
This is typical of many malware apps. Do you have a good AV installed and up to date? Use other tools like Spybot Search and Destroy, Adaware amd Malwarebytes to scan. I would use all three. Double check that system restore is off and stays off. Be aware that some malware will block you from these sites and AV sites so you may have to download and install from alternate medis.
Solution 4
Note: This answer will not help you fix the problem. It is a stopgap only.
Until this is fixed, should you need to google, enter any of google's IP addresses in your address bar.
C:\>nslookup www.google.com
*** Can't find server name for address 10.2.1.3: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 10.2.1.3
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.45.103, 74.125.45.104, 74.125.45.105, 74.125.45.106
74.125.45.147, 74.125.45.99
Aliases: www.google.com
Edit: To search, you'll need to manually build your query.
For example:
http://74.125.45.103/search?q=dns+hijack+problem
Solution 5
I recommend trying to use some live Linux distributions to startup your computer - these distros run directly from the CD. They can read the Windows partition, and often write to it as well.
Be warned however that you can really mess up your computer if you don't know what you are doing or don't know how to use Linux. I can recommend Puppy Linux bas quite a user friendly distro with its own browser and other essential tools. It should be seen as a temporary solution, but may be a lifesaver!
A good feature is that you can move files and take backups from your hard drive into a USB hard drive without needing Windows.
Related videos on Youtube
03 : 33
03 : 16
06 : 15
06 : 27
05 : 50
user27210
Updated on September 17, 2022Comments
-
user27210 almost 2 years
My Windows XP hosts file has been tampered with, and I can't fix it. This is particularly bad because whatever tampered with the hosts file left these:
... 188.124.7.190 www.google.com 188.124.7.190 google.com 188.124.7.190 google.com.au 188.124.7.190 www.google.com.au 188.124.7.190 google.be 188.124.7.190 www.google.be ...If I understand this correctly the hosts file is responsible for mapping IP addresses to names, correct? It appears that someone went through the effort of mapping google (all languages), bing and yahoo all to one ip address but whatever server my google searches were being routed to has been taken down, thus cutting me off from any form of search engine whatsoever. I had to log in to Super User with my Wordpress account just so I could post this.
I've tried manually deleting those lines from the hosts file but for some reason I'm unable to save it. I'm running as Administrator right now, and I've tried this in safe mode as well, nothing I've tried works. It's worth mentioning now that I disabled System Restore. Could anyone help?
edit: I've already tried running AV and anti-malware, Spybot S&D couldn't touch the hosts file either.
-
eleven81 over 14 years
-
Joel Coehoorn almost 13 yearscount yourself lucky the server is down. Better broken searches than the broken bank account or identity you might get if you actually let your machine route any traffic through that server.
-
-
user27210 over 14 yearsI've already tried running Spybot S&D and it couldn't access the hosts file either.
-
KiiroSora09 over 14 years+1. DNS hijackers are usually installed by exploits (make sure your browser and plugins are up to date next time; don't install plugins you don't definitely need, for example Adobe Reader's PDF plugin that has caused many, many infections over the last year). The other main source is ‘fake codec’-style social engineering attacks.
-
user27210 over 14 yearsThis doesn't work either. I noticed that there is no 'hosts' file in the .../etc folder, and setting folder options to display hidden files doesn't show anything as well. Trying to create a new hosts file just gives me a 'Cannot create file, file already exists' error.
-
user27210 over 14 yearsThis gets me to Google's homepage but no farther than that.
-
xor over 14 years@cornjuliox - Run a BartPE CD and sort it out (always handy to have anyway), however, there is something seriously wrong with your system.
-
user27210 over 14 yearsThats the thing, I don't see a 'hosts' file here. its like its hidden, but setting the folders to display hidden files does nothing.
-
user27210 over 14 yearsIt looks like the right way to go is to use the fixit application, and not the manual method. Strange thing is that now it doesn't look like there's a hosts file anymore...
-
user27210 over 14 yearsI've got a quick question before this thing is eventually locked, I'm told that its safe to delete the hosts file altogether, is that right? I could avoid this problem on brand new installs just by deleting the hosts file.
-
William Hilsum over 14 yearsThis is very confusing :S Are you sure the file is there now? I see you said in another comment about deleting it...
-
xor over 14 years@cornjuliox - you can delete it alright, but a well maintained Hosts file can be quite useful.
