Recently I helped a friend who had an infected laptop running Windows. One of the first things you want to do is disable any network connection (wireless or wired) such that your computer cannot communicate with your own local area network or the Internet. This helps prevent further spread of the virus and collateral damage.
In order to run scans on the system, it is best to download them to a USB stick or burn to a CD, and then install from that removable device on the infected system. CD’s are the ideal because they are read-only and cannot be infected while the USB key could potentially carry a virus back to your other systems.
After running through a variety of scanning tools for spyware, malware, and viruses we felt we had cleaned it up quite well. (Note that the only way to truly know is to reinstall everything – not fun). (Second note, not all antivirus are the same and they scan for different issues).
I thought I would just check one last spot which I have seen some crafty (malicious) things done in the past:
Sure enough, this file had been hijacked. Here were the contents:
What this accomplished was not only preventing your system from communicating with legitimate anti-virus websites, it was potentially hijacking your web browser and redirecting it to a site that looked and felt like the legitimate one (spoofed / phishing).
The hosts file had been hidden as a system file. It had been set as read-only. And no matter what we did, we could not overwrite it, delete it, save new contents…
We discovered a handy free utility called Unlocker (http://majorgeeks.com/download.php?det=4660) which resolved the problem and deleted the file for us.
Maybe check the contents of your hosts file and see if anything interesting lurks there.