Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Resolved Question

IE8 Host Has Been Hijacked By Trojan

Jul 31, 2011 2:58PM PDT

I cannot use IE8 because shortly after opening, the URL changes to either of the following:
failover-ask.com.edgesuite.net/failover.png
OR websearch.ask.com/redirect? (DO NOT VISIT LINK)

I listed these in IE8 to be Blocked, but that had no affect.
Prior to this, I had a problem with two trojans that could not be deleted or moved to vault. I tried FIX IT help and as suggested, I set Security and Hosts to default. That did not work. I tried to run Malwarebytes in Safe Mode, but I got a blue screen.
I have been advised that the best thing is to remove my main drive and scan it outside my computer on another machine and then reinstall XP (and all the other programs).
The only other idea that I have seen online is to run HostsXpert and examine the allowed hosts that are shown in Windows System32 and make the necessary editing to remove any incorrect hosts listed there.
I am hoping that someone may have an easier solution to this problem. Thank You! Mike Briody

Note: This post was edited by a forum moderator to remove active link, to prevent others from being infected on 08/01/2011 at 9:40 AM PT

Discussion is locked

mike281 has chosen the best answer to their question. View answer

Best Answer

- Collapse -
Run MalwareBytes Anti-Malware when starting windows normally
Aug 3, 2011 6:34AM PDT

Since your Internet Explorer has been browser hijacked or you have been URL poisioned, the best thing to do is install and run MalwareBytes Anti-Malware (If you have not got it already).

It is a very advanced anti-malware removal and detection program, it should fix your Internet Explorer.

Hope this helps.

- Collapse -
IE8 Problems
Aug 3, 2011 8:41AM PDT

Thanks for your suggestion. I had been using MalwareBytes free edition and since this problem started I upgraded to Pro and purchased the CD too, in case I have to reinstall XP and everything else. I'll continue to use it and SuperAntiSpyware and then RKILL to see if I can get this cleared up. Mike

- Collapse -
IE8 Problems
Aug 5, 2011 10:30AM PDT

I have not been able to use Safe Mode at all. If I try any of it's functions, I get a blue screen, so I can't run MalwareBytes or anything else in Safe Mode. I don't have the host problem anymore, but the two unremovable trojans remain, as well as the dialog boxes that pop up over the IE8 screen. I looked online for apps to remove Trojan horse Cryptic.CTC and found one but it didn't work.

- Collapse -
Not looking too good.
Aug 5, 2011 11:09PM PDT

If Safe Mode doesn't work then it seems the problem runs deeper into the OS than first thought.

Did you do the other actions that Grif said in his post here?
http://forums.cnet.com/7726-7574_102-5179594.html

He said keep running RKill over and over again, interspersed with running MBAM and SAS

Mark

- Collapse -
LOOKS Like Your Suggestio Worked THANX!
Aug 15, 2011 5:08AM PDT

using rKill and Antimalware Bytes Pro, over n over as u suggested , about a week ago, i was able to fix this. I waited to reply here to make sure the 'fix' stayed OK. Thank you very much for your help! Mike

- Collapse -
That's great
Aug 15, 2011 9:00PM PDT

and thanks for calling back in to tell us.

Mark

- Collapse -
Answer
Have you just tried
Jul 31, 2011 10:08PM PDT

changing your Home Page?

Open IE, goto Tools > Internet Options then the General tab, delete all entries in the Home Page box, then select "Use blank". Restart IE and test. You can always re-select your favored Home Page if you wish.

Other than that, have a look at your Hosts file, ( C:\Windows\System32\drivers\etc\Hosts ), open it with Notepad, (but be sure you don't set Notepad as the default application to 'always' open this type of file), then look through the list for anything that re-directs to fallover-ask.com or websearch.ask.com and delete those. Re-save Hosts but make sure it is not saved as a txt file. This file has no file extension.

Mark

- Collapse -
IE8 HOST HIJACKED
Aug 1, 2011 3:14AM PDT

Thanks very much Mark, I'll give those a try!

- Collapse -
IE8 hijacked By Trojans
Aug 1, 2011 8:30AM PDT

Hi Mark, I tried a reset to a blank page and that did not help. I don't see either of the the problem URLs in the System32 hosts listing. In addition I am now getting a dialog box that keeps popping-up one on top of the other in IE8, making it very hard to use. I have a screen capture of that box converted to a jpg, but I don't know how to include or attach that here.
I don't know if the CD I got from Dell with my DELL4600, seven years ago is a 'repair' CD or if it will wipe my system clean if I use it. A friend who has been a computer operations professional for over 30 years says he thinks it will set my computer back to factory settings. He says that reinstalling XP and all my software will be a very long and involved process. (he has done it many times, but is disabled now.)
Mark, Thank you for your help. Mike

- Collapse -
This looks like
Aug 1, 2011 10:37PM PDT
- Collapse -
IE8 Hijacked + Your Suggestions
Aug 2, 2011 6:24AM PDT

Mark, the article which you referenced is for Windows 7, I am running XP.

- Collapse -
Looked again and I would use that on XP.
Aug 2, 2011 8:35AM PDT

I fear that asking for versions of the same thing for each OS may not happen. The software used is known to work on XP just fine.
Bob

- Collapse -
(NT) The Article Is Universal, Only The Forum is Windows 7
Aug 2, 2011 9:24AM PDT
- Collapse -
(NT) The Article Is Universal, Only The Forum is Windows 7
Aug 2, 2011 9:58AM PDT

IE8 seems to open correctly, I have blank as an opening screen. Then I type in Google which stays OK. But, if I click 'news' or try to navigate elsewhere in some way, I still have the dialog boxes that pile up on top of each other in the IE8 window. I followed Grif's suggestions to which you referred me and after running SuperAntiSpyware, it came up with hundreds of items which I was able to remove. I have a jpg screen capture of the box that pops up, but I don't know how to send it to you here. The msg starts with Cannot Find http://3 ...followed by machine readable code ... and 'make sure the path or the internet address is correct'. Perhaps if you can see it, that may help.

- Collapse -
The next steps.
Aug 2, 2011 10:43AM PDT

Is to continue using the tools till it's clean.

- Collapse -
Run Rkill And Malwarebytes Too!
Aug 3, 2011 12:03AM PDT

Malwarebytes will find things that SuperAntispyware doesn't, and vice versa. Rkill will stop and background programs so the removal tools will install and run correctly.. So, be sure to run Rkill, then run the other tools without restarting the computer.

As Bob stated, run the tools till you find nothing. Here, I run Rkill, then Malwarebytes, then I restart the computer. Then I run Rkill again and run SuperAntispyware, then restart the computer, then run Malwarebytes again, making sure it finds nothing, then run SuperAntispyware again, making sure it finds nothing.. If something is found by either of the tools, I restart the computer into Safe Mode and run the tools, one after the other. It takes a while to get everything done, but you can be sure it's clean.

Hope this helps.

Grif