Solved

Hijacked web sites

Posted on 2011-03-03
14
308 Views
Last Modified: 2012-08-13
Have the spyweare: 74.125.45.100 associated with rogue ware.  when going to a site in google get taken to one of their addresses uasing the above IP.

Ran spybot but it cannot delete, get the following error:

Unexpected error in fixing problems
(cannot create file)
System32\drivers\etc\host*
access is denied
0
Comment
Question by:ycguy1117
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 7

Expert Comment

by:brettkm
ID: 35033882
I would try a scan with Malwarebytes' Anti-Malware, TDSSKiller, Hitman Pro and ComboFix in that order.  If your machine is still infected please reply with any logs created by these programs.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35034527
With using above scanners, you will also have to reset the Hosts file otherwise you will still get redirected
http://forums.majorgeeks.com/showthread.php?t=138700
0
 
LVL 38

Expert Comment

by:younghv
ID: 35034989
ycguy1117,
The symptoms you are describing appear to be some variant of the malware known as "Windows Protection Suite".

Here is a step-by-step set of instructions for removing it:
http://www.bleepingcomputer.com/virus-removal/remove-windows-protection-suite

Please work through them and post back if you have any questions.

@Experts -
You are encouraged to actually read the details of the problem being described and try to give targeted advice.

Random suggestions are never a good idea when trying to solve malware problems.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35035315
Access is denied to the host file. Generally, if that happens, malware has altered permissions and adding a list of "bogus" redirects.

Author: To clarify if the host file contains these rogue ip addresses , post a hijackthis log which should note those entries , if
exist.

Note : if system Vista or 7 , " run as administrator " for hijackthis .
0
 
LVL 38

Expert Comment

by:younghv
ID: 35035335
ycguy1117,
Simply re-setting your "HOSTS" file will not address the underlying infection.

You have to treat the actual problem - not the symptoms.
0
 

Author Comment

by:ycguy1117
ID: 35036470
Ran all of the software mentioned, no success:

Combox fix will not run indicates Symantec is on, I have disabled eveerything still indicates scan feature is running.
Tried to run host reset: eror;  Cannot create file.  Will not run.

here is the files with the names and IP address that causes this issue and seemingly canot be deleted?

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
0
 
LVL 38

Expert Comment

by:younghv
ID: 35036518
You should not be running ComboFix - beyond the fact that several anti-malware applications will conflict with it, it is not needed.

Follow the instructions in the link I posted above, but when downloading MBAM, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 22

Expert Comment

by:optoma
ID: 35036913
Regarding the host file. Did you make it writable using hostxpert firstly? If so , there is another way which can fix it.

You ran all mentioned scanners ( brettkm's post ) except CF . Did they find anything ?
0
 

Author Comment

by:ycguy1117
ID: 35036967
I was trying to follow directions posted on the first reply.  I had malware bytes already installed on this machine, it did not detect anything.  That is why I ran spybot, it found it but could not delete due to error on host file.  Do I need to uninstall malwarebytes and try again?
0
 
LVL 22

Expert Comment

by:optoma
ID: 35037134
Apart from the redirects(due to host file), is there any fake program popping up on the machine, hampering other functions?


Use these steps for the host file to reset it to defaults:
1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

0
 

Author Comment

by:ycguy1117
ID: 35037158
Nope!  just redirects
0
 
LVL 22

Expert Comment

by:optoma
ID: 35037352
Ok. Try steps above to reset Hosts file :)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35037484
"Do I need to uninstall malwarebytes and try again? "

You do not need to 'uninstall' it, but you do need to download it again using the "renaming/Save As" function I described.

Many variants of malware will recognize the MBAM-setup file when it hits your computer and block its effectiveness.

If you save it to your Windows desktop as "xyz.exe", simply double-left-click on xyz.exe after it is downloaded.

What I am describing for you is very standard for any of us who actually fight malware for a living.

You are attempting to repair something that is very old in malware terms (almost two years) and is very easy to fix if you will follow the instructions at the link I posted.
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 35037515
I will once again state that any effort directed at your HOSTS file is wasted.
THAT symptom can easily be fixed after the repair is done.

The simplest method I know of is to use the instructions and file found here:

http://www.mvps.org/winhelp2002/hosts.htm

ONLY do that after MBAM has repaired the infection.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now