Hijackthis was throwing up a load of redirection O1s (50-60 no).
I've ran malwarebytes and combofix and avira and neither worked.
I've actually went and deleted the hosts file in windows/system32/drivers/etc but they were still there in Hijackthis.
I Went to the hosts directory (see above) through the recovery console.
Using the cacls command, it showed the hosts file as still being there but with a permission of
"NT authority authorised user - special access."
The bottom line to this is that you it doesn't show up in windows directory listings (hidden file or not).
As well as that, you can't delete it or edit it, in recovery mode, command line, safe mode - any mode.
Combofix nor any about any other of about 6 other antispyware/rootkit programs can do anything with the invisible hosts file.
I moved hard drive to second pc (secondary drive) at this stage. After trawling the internet I found a program called gmer which is a rootkit killer, but has a utility for deleting files. This is the only thing I found which would delete it.
Programs that tried and failed to delete/edit the hosts file....
Avira Free version.
Include HostsXpert in that list. It was able to read the "invisible" hosts file but not edit or delete it.
Anybody come across this before?
Edited by Pandy, 30 April 2010 - 09:43 AM.
Moved from Breaking Virus & Security News to a more appropriate forum ~Pandy