I ran into a troublesome problem with a web browser redirect. All services were fine and browsing worked without issue except for Google and Bing. These two sites, and a couple of others I later discovered, would redirect to either a survey web page or one displaying “404 not found nginx”. Netstat interestingly showed within seconds of logon about twelve port 80 ”established” connections to remote sites, but quickly switched to a consistent three: 18.104.22.168, 22.214.171.124, 126.96.36.199. This obviously indicated either tampering with DNS or a proxy server.
My first thought was the Hosts file which upon inspection revealed it had bean cleared and the attributes changed to Read Only, Hidden, and System file. I reset the attributes with “attrib –R –A –S -H “, copied the contents of another host file which is really just comments, and ran “ipconfig /flushdns”. (For those unaware Notepad must be opened using elevated privileges if Vista or Win7). This made no difference whatsoever.
Googling suggested this was common with hacked routers, but this was only one PC on the network, and other suggestions were Malwarebytes, TDSSKiller, Gmer, HitMan Pro, and others. Trying several of these found nothing. I reverted back to my original thinking and discovered the Hosts file had indeed been modified. There were about 100 empty lines and then below that Malware had added about 30 malicious entries. Clearing these resolved the problem.
Such a simple hack, but easily overlooked, and surprisingly missed by the common Malware tools.