Somehow my Windows Vista computer has been infected with a Google redirection virus or malware. Frequently when clicking on a Google search result I am redirected to a different website, although this does not always happen. Interestingly, the redirections are generally to a list of other websites (which look like the results of another search engine) and occur when using either Firefox or Internet Explorer. The cause of the problem is not detected by Norton Internet Security, Ad-Aware or Spybot Search & Destroy which are all fully up-to-date. Looking at the HOSTS file I see quite a few different entries – could you explain their purpose, as I don’t know whether they are legitimate?
127.0.0.1 localhost
::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
…plus many more…
If we could remove this problem from the computer without the need for a full reinstallation of Windows that would be perfect.

You are correct that your computer has become infected with some kind of browser hijacking virus or malware since you are being redirected to other websites without your explicit consent. It is concerning that none of the antivirus or antimalware packages installed on your computer have been able to detect and remove this threat, so this does not bode particularly well for the effective removal of this from the computer. However, before we go any further we will first have a look at the excerpt of the HOSTS file which you have included in the question. In order to understand the purpose of the HOSTS file, we first need to understand how host names and IP addresses work. When you visit a website you generally type in the hostname (or domain name) for that website, such as google.com or yahoo.com. These hostnames are not particularly useful for computer systems since they don’t provide any information on how to reach the destination computer (known as the host, in the case of these examples the Google and Yahoo servers respectively). Every networked computer in the world has a unique address on that network, known as an IP address. These are in the format of XXX.XXX.XXX.XXX. As an example, the IP address for a Google server is 74.125.237.80 and the IP address for a Yahoo server is 72.30.2.43. These IP addresses are how computers on a network are actually located, as each portion of the IP address (known as an octet) provides information on where that host is located on the network, allowing the request which you send to that host (such as to display a web page) to be routed through the network and eventually received by the host who can respond to the request.

As you may be able to infer at this point in time, in order to communicate with a host on the internet you eventually need to find out its IP address so that the request can be sent to the host. It would be very difficult to remember the IP addresses for all the hosts which you access on a daily basis (google.com, canberratimes.com.au, siliconkid.com.au) since humans are not particularly good at remembering a whole series of numbers. Instead, we are much better at remembering words. Thus, instead of having to type in the IP address for a host when you wish to visit that host on the internet, you can instead type in the hostname (or domain name) which is much easier to remember. A system known as the Domain Name System (or DNS) then takes that hostname (e.g. google.com) and translates it into the relevant IP address (e.g. 74.125.237.80). Thus it is possible to bypass this step and access a website by just typing in the IP address of the host. Open your web browser and type in 74.125.237.80 and you will see that the Google website appears.

So, you can see that the DNS system provides a convenience – it allows humans to remember word representations of their favourite websites rather than having to memorise a string of numbers. DNS requests (i.e. requests to translate a hostname to IP address, or vice-versa) are handled by your internet service provider’s DNS servers. If you look at the configuration for your internet connection you will notice that there are DNS servers configured – in fact, there is generally a primary and secondary DNS server configured for redundancy (given how important the DNS has become, because without DNS it would be very hard to use the internet thus the need for redundancy). However, it is possible to also store a file on your computer which has these hostname to IP mappings – this is exactly what the HOSTS file on the computer does.

At this point you may be asking what is the point of the HOSTS file, since your upstream network provider takes care of DNS requests using their DNS servers (which are automatically updated with new hosts and IP addresses). The HOSTS file is really a relic of the early days of the internet when there was no distributed system for handling DNS requests. While advanced users can still find the HOSTS file handy (thus the reason that it has not been completely deprecated) the average user has absolutely no use for this file. However, it must be noted that entries in the HOSTS file will override requests made via DNS. Therefore, if there is an entry in the HOSTS file say, for example, google.com then the hostname to IP mapping will take precedence over any results returned from a DNS request for google.com. You will notice that there are entries in your HOSTS file which have been inserted by Spybot Search & Destroy. These are hostnames for what Spybot considers known bad sites. You will see that hostname to IP entries have been added pointing towards 127.0.0.1. That is the “loopback” IP address and refers to your local computer. In other words, if you access 127.0.0.1 on a computer it will loop the request back to that particular computer. These entries have been inserted as a security measure so that if you inadvertently attempt to visit one of those sites then you will be unsuccessful since it will redirect the request back to your computer instead of the actual destination server.

As you can see, because the HOSTS file can be used to override the results of a DNS request it can also be used for malicious purposes. For example, malware on your computer could place an entry for google.com in the HOSTS file and direct that host towards the IP address for a malicious website. This means that if you attempt to visit google.com then that hostname will be resolved to the malicious IP address and you will be directed to the malicious site instead. Most antivirus and antimalware products protect the HOSTS file from such attacks, but it may be worthwhile to cast your eye over the file just to make sure that there are no static entries directing you to IP addresses other than 127.0.0.1. Don’t worry about the second entry in the file pointing towards ::1 as that is simply the IPv6 representation of localhost. IPv6 is the next version of the IP protocol which uses different format IP addresses, since the world has pretty much run out of unallocated IPv4 addresses (i.e. the current addressing scheme which we use).

So, now that we have an understanding of the HOSTS file you can check whether all is alright with the current file on your computer. However, this still leaves us with the problem concerning the browser hijacking taking place on the computer. Unfortunately I don’t foresee a way to totally remove this threat from your computer without completing a format and reinstallation of Windows. The fact that the antivirus and antimalware software currently installed on your computer cannot pick-up this threat does not bode well, since it is entirely possible that even if you find a utility which can detect and remove the threat, it will not totally remove all traces of this from your computer. As you would have read in previous columns, once a computer has been infected it can never be trusted again until you complete a format and reinstallation. Therefore, unfortunately my only recommendation would be to backup all important data on your computer (including email) and then format the hard drive and reinstall Windows from scratch, then restore all your backed-up data.