This is an interesting sample, caught by our honeypots.

The file comes as a zip archive from qtpom{removed}, which once extracted looks like this:

It is almost undetected. Virus Total report here. Truth be told, no blatant sign of malware activity is noticed at first until this:

What the heck? This is not my Google home page. And what are those tabs up there: “Pharmacy”, “Casino”?

The malware modifies the Windows hosts file to redirect popular sites to (IP:, Russian Federation).

If you are a victim of a homepage hijack or other redirections, it’s always worth it to try to look at your Hosts file located under C:\windows\system32\drivers\etc\hosts

Then, you can remove the offending entries manually and save the file. This may be a temporary relief but not a definite solution if malware is still active on your PC.