Solved

Hijacked web sites

Posted on 2011-03-03
14
313 Views
Last Modified: 2012-08-13
Have the spyweare: 74.125.45.100 associated with rogue ware.  when going to a site in google get taken to one of their addresses uasing the above IP.

Ran spybot but it cannot delete, get the following error:

Unexpected error in fixing problems
(cannot create file)
System32\drivers\etc\host*
access is denied
0
Comment
Question by:ycguy1117
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 7

Expert Comment

by:brettkm
ID: 35033882
I would try a scan with Malwarebytes' Anti-Malware, TDSSKiller, Hitman Pro and ComboFix in that order.  If your machine is still infected please reply with any logs created by these programs.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35034527
With using above scanners, you will also have to reset the Hosts file otherwise you will still get redirected
http://forums.majorgeeks.com/showthread.php?t=138700
0
 
LVL 38

Expert Comment

by:younghv
ID: 35034989
ycguy1117,
The symptoms you are describing appear to be some variant of the malware known as "Windows Protection Suite".

Here is a step-by-step set of instructions for removing it:
http://www.bleepingcomputer.com/virus-removal/remove-windows-protection-suite

Please work through them and post back if you have any questions.

@Experts -
You are encouraged to actually read the details of the problem being described and try to give targeted advice.

Random suggestions are never a good idea when trying to solve malware problems.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:optoma
ID: 35035315
Access is denied to the host file. Generally, if that happens, malware has altered permissions and adding a list of "bogus" redirects.

Author: To clarify if the host file contains these rogue ip addresses , post a hijackthis log which should note those entries , if
exist.

Note : if system Vista or 7 , " run as administrator " for hijackthis .
0
 
LVL 38

Expert Comment

by:younghv
ID: 35035335
ycguy1117,
Simply re-setting your "HOSTS" file will not address the underlying infection.

You have to treat the actual problem - not the symptoms.
0
 

Author Comment

by:ycguy1117
ID: 35036470
Ran all of the software mentioned, no success:

Combox fix will not run indicates Symantec is on, I have disabled eveerything still indicates scan feature is running.
Tried to run host reset: eror;  Cannot create file.  Will not run.

here is the files with the names and IP address that causes this issue and seemingly canot be deleted?

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
0
 
LVL 38

Expert Comment

by:younghv
ID: 35036518
You should not be running ComboFix - beyond the fact that several anti-malware applications will conflict with it, it is not needed.

Follow the instructions in the link I posted above, but when downloading MBAM, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35036913
Regarding the host file. Did you make it writable using hostxpert firstly? If so , there is another way which can fix it.

You ran all mentioned scanners ( brettkm's post ) except CF . Did they find anything ?
0
 

Author Comment

by:ycguy1117
ID: 35036967
I was trying to follow directions posted on the first reply.  I had malware bytes already installed on this machine, it did not detect anything.  That is why I ran spybot, it found it but could not delete due to error on host file.  Do I need to uninstall malwarebytes and try again?
0
 
LVL 22

Expert Comment

by:optoma
ID: 35037134
Apart from the redirects(due to host file), is there any fake program popping up on the machine, hampering other functions?


Use these steps for the host file to reset it to defaults:
1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

0
 

Author Comment

by:ycguy1117
ID: 35037158
Nope!  just redirects
0
 
LVL 22

Expert Comment

by:optoma
ID: 35037352
Ok. Try steps above to reset Hosts file :)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35037484
"Do I need to uninstall malwarebytes and try again? "

You do not need to 'uninstall' it, but you do need to download it again using the "renaming/Save As" function I described.

Many variants of malware will recognize the MBAM-setup file when it hits your computer and block its effectiveness.

If you save it to your Windows desktop as "xyz.exe", simply double-left-click on xyz.exe after it is downloaded.

What I am describing for you is very standard for any of us who actually fight malware for a living.

You are attempting to repair something that is very old in malware terms (almost two years) and is very easy to fix if you will follow the instructions at the link I posted.
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 35037515
I will once again state that any effort directed at your HOSTS file is wasted.
THAT symptom can easily be fixed after the repair is done.

The simplest method I know of is to use the instructions and file found here:

http://www.mvps.org/winhelp2002/hosts.htm

ONLY do that after MBAM has repaired the infection.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question