PDA

View Full Version : cannot create file c:\windows\sytem32\drivers\etc\hosts


intune
2010-01-27, 14:08
I ran spybot and received the following error:
Unexpected error in fixing problems (cannot creat file "c:\windows\system32\drivers\etc\hosts". Access is denied)
:red:

I have downloaded and ran ERUNT

Here is my log from hijack this:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:26:16 AM, on 1/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.125.45.100 test1111.com
O1 - Hosts: 74.125.45.100 test1112.com
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com (http://www.getantivirusplusnow.com)
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com (http://www.secure-plus-payments.com)
O1 - Hosts: 74.125.45.100 www.getavplusnow.com (http://www.getavplusnow.com)
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com (http://www.securesoftwarebill.com)
O1 - Hosts: 89.248.168.188 google.ae
O1 - Hosts: 89.248.168.188 google.as
O1 - Hosts: 89.248.168.188 google.at
O1 - Hosts: 89.248.168.188 google.az
O1 - Hosts: 89.248.168.188 google.ba
O1 - Hosts: 89.248.168.188 google.be
O1 - Hosts: 89.248.168.188 google.bg
O1 - Hosts: 89.248.168.188 google.bs
O1 - Hosts: 89.248.168.188 google.ca
O1 - Hosts: 89.248.168.188 google.cd
O1 - Hosts: 89.248.168.188 google.com.gh
O1 - Hosts: 89.248.168.188 google.com.hk
O1 - Hosts: 89.248.168.188 google.com.jm
O1 - Hosts: 89.248.168.188 google.com.mx
O1 - Hosts: 89.248.168.188 google.com.my
O1 - Hosts: 89.248.168.188 google.com.na
O1 - Hosts: 89.248.168.188 google.com.nf
O1 - Hosts: 89.248.168.188 google.com.ng
O1 - Hosts: 89.248.168.188 google.ch
O1 - Hosts: 89.248.168.188 google.com.np
O1 - Hosts: 89.248.168.188 google.com.pr
O1 - Hosts: 89.248.168.188 google.com.qa
O1 - Hosts: 89.248.168.188 google.com.sg
O1 - Hosts: 89.248.168.188 google.com.tj
O1 - Hosts: 89.248.168.188 google.com.tw
O1 - Hosts: 89.248.168.188 google.dj
O1 - Hosts: 89.248.168.188 google.de
O1 - Hosts: 89.248.168.188 google.dk
O1 - Hosts: 89.248.168.188 google.dm
O1 - Hosts: 89.248.168.188 google.ee
O1 - Hosts: 89.248.168.188 google.fi
O1 - Hosts: 89.248.168.188 google.fm
O1 - Hosts: 89.248.168.188 google.fr
O1 - Hosts: 89.248.168.188 google.ge
O1 - Hosts: 89.248.168.188 google.gg
O1 - Hosts: 89.248.168.188 google.gm
O1 - Hosts: 89.248.168.188 google.gr
O1 - Hosts: 89.248.168.188 google.ht
O1 - Hosts: 89.248.168.188 google.ie
O1 - Hosts: 89.248.168.188 google.im
O1 - Hosts: 89.248.168.188 google.in
O1 - Hosts: 89.248.168.188 google.it
O1 - Hosts: 89.248.168.188 google.ki
O1 - Hosts: 89.248.168.188 google.la
O1 - Hosts: 89.248.168.188 google.li
O1 - Hosts: 89.248.168.188 google.lv
O1 - Hosts: 89.248.168.188 google.ma
O1 - Hosts: 89.248.168.188 google.ms
O1 - Hosts: 89.248.168.188 google.mu
O1 - Hosts: 89.248.168.188 google.mw
O1 - Hosts: 89.248.168.188 google.nl
O1 - Hosts: 89.248.168.188 google.no
O1 - Hosts: 89.248.168.188 google.nr
O1 - Hosts: 89.248.168.188 google.nu
O1 - Hosts: 89.248.168.188 google.pl
O1 - Hosts: 89.248.168.188 google.pn
O1 - Hosts: 89.248.168.188 google.pt
O1 - Hosts: 89.248.168.188 google.ro
O1 - Hosts: 89.248.168.188 google.ru
O1 - Hosts: 89.248.168.188 google.rw
O1 - Hosts: 89.248.168.188 google.sc
O1 - Hosts: 89.248.168.188 google.se
O1 - Hosts: 89.248.168.188 google.sh
O1 - Hosts: 89.248.168.188 google.si
O1 - Hosts: 89.248.168.188 google.sm
O1 - Hosts: 89.248.168.188 google.sn
O1 - Hosts: 89.248.168.188 google.st
O1 - Hosts: 89.248.168.188 google.tl
O1 - Hosts: 89.248.168.188 google.tm
O1 - Hosts: 89.248.168.188 google.tt
O1 - Hosts: 89.248.168.188 google.us
O1 - Hosts: 89.248.168.188 google.vu
O1 - Hosts: 89.248.168.188 google.ws
O1 - Hosts: 89.248.168.188 google.co.ck
O1 - Hosts: 89.248.168.188 google.co.id
O1 - Hosts: 89.248.168.188 google.co.il
O1 - Hosts: 89.248.168.188 google.co.in
O1 - Hosts: 89.248.168.188 google.co.jp
O1 - Hosts: 89.248.168.188 google.co.kr
O1 - Hosts: 89.248.168.188 google.co.ls
O1 - Hosts: 89.248.168.188 google.co.ma
O1 - Hosts: 89.248.168.188 google.co.nz
O1 - Hosts: 89.248.168.188 google.co.tz
O1 - Hosts: 89.248.168.188 google.co.ug
O1 - Hosts: 89.248.168.188 google.co.uk
O1 - Hosts: 89.248.168.188 google.co.za
O1 - Hosts: 89.248.168.188 google.co.zm
O1 - Hosts: 89.248.168.188 google.com
O1 - Hosts: 89.248.168.188 google.com.af
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1708537768-1454471165-839522115-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Gunnut')
O4 - HKUS\S-1-5-21-1708537768-1454471165-839522115-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Gunnut')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236135285011
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11650 bytes


Thank You for any help.:thanks:

OK, as part of the redirect my ebay was going to a screen asking for personal information. I contacted eBay and was told to run Malwarebytes.org.

Unfortunately (even though infections were found) the problem with redirecting hosts is still a problem. I have tried to edit my hosts file using Hostsxpert. I am unable to edit.

I also did a scan with AVG. Still problems with the redirecting hosts.

Please help if you can. I am thinking my only recourse is that I should reload windows and that I know is a LAST RESORT.

BTW, Am I not adding something that is needed to help me solve this problem?
==================

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)
Shaba
2010-02-01, 20:04
Hi intune

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Shaba
2010-02-11, 19:57
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.