Some help with redirects, a pop-up, & a corrupted hosts file?

Open Notepad as admin (right click on notepad icon or shortcut and click Run as admin) and type the following information in it:

127.0.0.1 localhost
::1 localhost

The "1" in the "127.0.0.1" must be at the first column of the line and there must be at least one space between "127.0.0.1" and "localhost". In the second line, there must be at least one space between "::1" and "localhost".


Save the file with the name "hosts" in C:\windows\system32\drivers\etc folder.

If it says that file exists do you want to override it say yes
 
This is something I've tried to do and work-around in the past, to no avail.
Saving it as "hosts." and not "hosts.txt", right?
I get the error:

hosts
This file is set to read-only.
Try again with a different file name.
 
No, this is something I've tried to do and work-around in the past, to no avail.
Tried to delete/replace/restore it by signing in as Admin, using Safe-Mode, etc.

I now have both a (corrupted) 'hosts' system file and the 'hosts' text document you asked me to make in the 'etc' folder.
 
Lets see if this will remove it

  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the
    OTMdesktopicon.png
    icon on your desktop.
  3. Paste the following code under the
    pasteline.png
    area.
    Do not include the word "Code".

    Code: 
    :Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\drivers\etc\hosts


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  4. Push the large
    btnmoveit.png
    button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the
    results.png
    line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Now run HostsXpert


Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES
 
It gave me the log on reboot.
It's impenetrable! HostsXpert still couldn't get anything done.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\windows\system32\drivers\etc\hosts scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: User
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 1157798 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 162775851 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1080 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 22709148 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 5257 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 34 bytes

Total Files Cleaned = 178.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 08042012_192947

Files moved on Reboot...
File move failed. c:\windows\system32\drivers\etc\hosts scheduled to be moved on reboot.
C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
 
Drag HostsXpert to the trash, this may be an updated version. Never had this problem before so have not used this program much

Please download

HostsXpert
  • Unzip HostsXpert to it's own folder in a convenient place such as C:\HostsXpert
  • Run: HostsXpert.exe
  • Click: Restore MS Hosts File
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.

Note: If a custom Hosts file was in place, you will have to run those programs again to reset detections.
If needed Tutorial

 
Same issues as before:

"Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, Cancel to Quit.

***HostXpert will NOT reset these attributes.***"

If I hit OK:

"Your HOSTS file is marked as a "Hidden file" and can NOT be manipulated. Press OK to remove the hidden file attribute, CANCEL to Quit.

***HostsXpert will NOT reset these attributes.***"

I hit OK again to move on.

Clicking "Restore MS Hosts File" gives the window:

"ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts"
 
Good Morning,

This generally is a pretty straight forward fix, as you stated in your original post that you fooled around with the hosts file so I am not sure exactly what you have done to it to not let it be replaced . Just hang in for a bit I am going to ask a windows guy to take a peak.
 
Do this in the order listed

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\*\shell\runas]

[-HKEY_CLASSES_ROOT\Directory\shell\runas]
Click to expand...

If you saved the file correctly it should look like this
reg.jpg





Open Notepad and copy and past this in

Unlock: C:\windows\system32\drivers\etc\hosts
C:\windows\system32\drivers\etc\hosts

Save it to your desktop as Fixlist.txt



For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop. Make sure its right next to Fixlist.text

Click on the Fix Button and post the results of the log it produces




Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :processes
killallprocesses

:OTL

:files
C:\windows\System32\Drivers\etc\hosts

:Commands
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces
 
Last edited:
Hi,

I have had all kinds of help with a fix for you and I had to edit it a few times, its now correct so follow the instructions in my last post order please and let me know how it went
 
Disco!
I took a peek at the hosts file and it's lookin' pretty.

I just wanted to state that I was fooling around (before I stumbled upon this forum) because I couldn't get anything done with the permissions before. As far as I could tell, the denial of access was not of my doing, and other people have had the same issues.
So this may not be the last you see of this strange problem. :O

So is this the last remnant of the infection(s)?

Both the Fixlog and OTL log are below:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03
Ran by User at 2012-08-05 13:56:33 Run:1
Running from C:\Users\User\Desktop

ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==============================================

permissions for C:\windows\system32\drivers\etc\hosts restored successfully
C:\windows\system32\drivers\etc\hosts moved successfully.

==== End of Fixlog ====

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== FILES ==========
File\Folder C:\windows\System32\Drivers\etc\hosts not found.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: User
->Temp folder emptied: 25719952 bytes
->Temporary Internet Files folder emptied: 5927213 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 66345340 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 748 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 375671 bytes

Total Files Cleaned = 94.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 08052012_135729

Files\Folders moved on Reboot...
C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...
 
Seas appear to be smooth for miles, Captain.

You're an absolute hero wizard, ken545! Give my thanks your pal(s) too.

So what actions should I take, and what applications should I be running on my computer, to prevent this sort of occurrence in the future?
I imagine there are two categories here: what's best, and what's good & free. :)

- and what's the best way to show my appreciation? Donate to SS&D?
 
You know what, with the seriousness of your infection lets make sure its all gone, this scan wont take long

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
ComboFix 12-08-05.02 - User 08/05/2012 17:37:27.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8109.6937 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\B63F\3469.tmp
c:\program files (x86)\LP\B63F\49EB.tmp
c:\program files (x86)\LP\B63F\4AC6.tmp
c:\program files (x86)\LP\B63F\9DF3.tmp
c:\program files (x86)\LP\B63F\AF13.tmp
c:\program files (x86)\LP\B63F\C541.tmp
c:\program files (x86)\LP\B63F\CB88.tmp
c:\program files (x86)\LP\B63F\D30A.tmp
c:\program files (x86)\LP\B63F\D815.tmp
c:\program files (x86)\LP\B63F\E233.tmp
c:\program files (x86)\LP\B63F\E52F.tmp
c:\program files (x86)\LP\B63F\E5CE.tmp
c:\program files (x86)\LP\B63F\EE34.tmp
c:\programdata\17672385l5n4
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))
.
.
2012-08-05 22:40 . 2012-08-05 22:40 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-08-05 22:40 . 2012-08-05 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-05 22:40 . 2012-08-05 22:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-05 18:56 . 2012-08-05 18:56 -------- d-----w- C:\FRST
2012-08-05 02:50 . 2012-08-05 02:51 -------- d-----w- C:\HostsXpert
2012-08-05 00:29 . 2012-08-05 00:29 -------- d-----w- C:\_OTM
2012-07-31 02:06 . 2012-07-31 02:06 -------- d-----w- c:\program files (x86)\ERUNT
2012-07-31 01:36 . 2012-07-31 01:36 -------- d-----w- C:\_OTL
2012-07-26 05:48 . 2012-07-26 05:48 -------- d-----w- c:\program files (x86)\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2012-02-18 05:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 06:04 . 2012-06-30 06:04 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-30 06:04 . 2012-06-30 06:04 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-02 22:19 . 2012-06-22 15:50 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 15:50 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 15:50 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 15:50 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 15:50 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 15:50 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 15:50 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-22 15:50 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-22 15:50 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-24 16:57 . 2012-02-28 01:28 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-12-27 378472]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-11-11 155752]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-01 535656]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2413128680-2735381842-1444654988-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-26 02:56]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2413128680-2735381842-1444654988-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-26 02:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0
TCP: Interfaces\{E9BBE345-E75A-482D-B4C0-7AD3A469C10B}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3ch0u0t8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-84050329.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-05 17:48:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-05 22:48
.
Pre-Run: 13,216,514,048 bytes free
Post-Run: 16,180,445,184 bytes free
.
- - End Of File - - FD9B566B896302EA696B8EF83202424E
 
Wonderfull, all ok ?

Sometimes even though things appear to be running ok this infection that you had can sometime fool with windows services, lets check and make sure there ok

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 
Last edited:
You must log in or register to reply here.
Back
Top