Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't edit hosts file


  • This topic is locked This topic is locked
4 replies to this topic

#1 cjc47

cjc47

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 15 December 2009 - 07:39 PM

Hi, I have been working on a friends system for awhile. Ran Avast, malwarebytes,adaware. Also ran super antispyware and asquare from ubcd. All removed different items. The computer ran with no protection for some time.
There are redirects in the hosts file. I cannot access the hosts file, can't edit or delete. Can't use attrib or cacls, everything is access denied. I could reload this box but it is a challenge now.

Any help would be appreciated.

root repeal and hijackthis logs attached.

TIA

Attached Files



BC AdBot (Login to Remove)

 


#2 cjc47

cjc47
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 15 December 2009 - 08:11 PM

Also when updates are applied, after reboots it says the update still needs to be applied. I can only get to update.microsft.com with firefox and ietabs. IE implodes after it gets redirected to a google.de. Google also gets redirected to google.de with firefox.
TIA

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 16 December 2009 - 03:01 PM

Hi cjc47,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Of course knowing you are good at fixing computer problems any idea is welcome if you feel something could be done. Please let me know in your next reply if you agree with this.
  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

      Comment:
      start to process
      
      Drivers to delete:
      H8SRTd.sys
      
      Files to delete:
      C:\WINDOWS\system32\drivers\H8SRThyfyyufygm.sys
      C:\WINDOWS\system32\viruxz.dll
      
      Registry values to delete:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | bestreak
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | {874443fe-aa33-4ebf-a6ac-73208787e62d}
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @Echo off
    for %%g in (
    c:\windows\system32\drivers\etc\hosts
    ) do (
    cacls %%g >log.txt
    echo y| cacls %%g /c /p users:f
    attrib -r -h -s %%g
    del /a /s /q %%g
    dir /a /q %%g >>log.txt 2>&1)
    start log.txt
    del %0
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

Edited by farbar, 17 December 2009 - 03:02 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 19 December 2009 - 07:50 AM

Are you still there?

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 20 December 2009 - 12:17 PM

This thread will now be closed due to inactivity.

If you should have the same or a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users