Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Hijacked web sites

Have the spyweare: 74.125.45.100 associated with rogue ware.  when going to a site in google get taken to one of their addresses uasing the above IP.

Ran spybot but it cannot delete, get the following error:

Unexpected error in fixing problems
(cannot create file)
System32\drivers\etc\host*
access is denied
0
ycguy1117
Asked:
ycguy1117
  • 5
  • 5
  • 3
  • +1
1 Solution
 
brettkmCommented:
I would try a scan with Malwarebytes' Anti-Malware, TDSSKiller, Hitman Pro and ComboFix in that order.  If your machine is still infected please reply with any logs created by these programs.
0
 
optomaCommented:
With using above scanners, you will also have to reset the Hosts file otherwise you will still get redirected
http://forums.majorgeeks.com/showthread.php?t=138700
0
 
younghvCommented:
ycguy1117,
The symptoms you are describing appear to be some variant of the malware known as "Windows Protection Suite".

Here is a step-by-step set of instructions for removing it:
http://www.bleepingcomputer.com/virus-removal/remove-windows-protection-suite

Please work through them and post back if you have any questions.

@Experts -
You are encouraged to actually read the details of the problem being described and try to give targeted advice.

Random suggestions are never a good idea when trying to solve malware problems.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
optomaCommented:
Access is denied to the host file. Generally, if that happens, malware has altered permissions and adding a list of "bogus" redirects.

Author: To clarify if the host file contains these rogue ip addresses , post a hijackthis log which should note those entries , if
exist.

Note : if system Vista or 7 , " run as administrator " for hijackthis .
0
 
younghvCommented:
ycguy1117,
Simply re-setting your "HOSTS" file will not address the underlying infection.

You have to treat the actual problem - not the symptoms.
0
 
ycguy1117Author Commented:
Ran all of the software mentioned, no success:

Combox fix will not run indicates Symantec is on, I have disabled eveerything still indicates scan feature is running.
Tried to run host reset: eror;  Cannot create file.  Will not run.

here is the files with the names and IP address that causes this issue and seemingly canot be deleted?

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
0
 
younghvCommented:
You should not be running ComboFix - beyond the fact that several anti-malware applications will conflict with it, it is not needed.

Follow the instructions in the link I posted above, but when downloading MBAM, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
 
optomaCommented:
Regarding the host file. Did you make it writable using hostxpert firstly? If so , there is another way which can fix it.

You ran all mentioned scanners ( brettkm's post ) except CF . Did they find anything ?
0
 
ycguy1117Author Commented:
I was trying to follow directions posted on the first reply.  I had malware bytes already installed on this machine, it did not detect anything.  That is why I ran spybot, it found it but could not delete due to error on host file.  Do I need to uninstall malwarebytes and try again?
0
 
optomaCommented:
Apart from the redirects(due to host file), is there any fake program popping up on the machine, hampering other functions?


Use these steps for the host file to reset it to defaults:
1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

0
 
ycguy1117Author Commented:
Nope!  just redirects
0
 
optomaCommented:
Ok. Try steps above to reset Hosts file :)
0
 
younghvCommented:
"Do I need to uninstall malwarebytes and try again? "

You do not need to 'uninstall' it, but you do need to download it again using the "renaming/Save As" function I described.

Many variants of malware will recognize the MBAM-setup file when it hits your computer and block its effectiveness.

If you save it to your Windows desktop as "xyz.exe", simply double-left-click on xyz.exe after it is downloaded.

What I am describing for you is very standard for any of us who actually fight malware for a living.

You are attempting to repair something that is very old in malware terms (almost two years) and is very easy to fix if you will follow the instructions at the link I posted.
0
 
younghvCommented:
I will once again state that any effort directed at your HOSTS file is wasted.
THAT symptom can easily be fixed after the repair is done.

The simplest method I know of is to use the instructions and file found here:

http://www.mvps.org/winhelp2002/hosts.htm

ONLY do that after MBAM has repaired the infection.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now