1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Redirection problems and general slower running of PC

Discussion in 'Malware Removal' started by x0pticLukeZz, Feb 6, 2012.

  1. x0pticLukeZz

    x0pticLukeZz Private E-2

    Hey all,

    I've been having some redirection problems to various websites, sometimes from Google and sometimes if I type a URL in myself.

    I've followed the steps from the sticky on this subject up to step 4, my TDSSkiller log is attached. Should I continue on to run the MBRCheck?

    Thanks!:)
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    Yes! And then continue on with the READ & RUN ME which is mentioned right after MBRcheck.
     
  3. x0pticLukeZz

    x0pticLukeZz Private E-2

    MBRCheck log is attached
     

    Attached Files:

  4. x0pticLukeZz

    x0pticLukeZz Private E-2

    Attached are logs from SAS, MBAM and MGtools.

    Combofix would not run past the extraction stage; it displayed no blue screen as shown in the instructions.

    RootRepeal is not included since I am using Windows 7 x64.

    Also, MGtools displayed an error message stating that HiJackThis couldn't access the Hosts file for some reason.

    I'm still having redirection problems after performing all the cleanup procedures and scans! I think it started a day or two ago. I'm afraid I'm not sure what I was doing at the time, sorry :s
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Go back and re-run TDSSkiller and if the below still appear like last time, cure/delete them ( which ever option is presented ) this time
    Code:
    15:44:25.0608 5620 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    15:44:25.0608 5620 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip 
    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - .DEFAULT User Startup: toap.exe (User 'Default user')

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    After reboot, copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Sean Walsh\Local Settings\Temp

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. x0pticLukeZz

    x0pticLukeZz Private E-2

    HostsXpert says "Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit."

    I click OK and the same window pops up, press it again and it goes away but the 'Make Writable?' button does nothing.

    The 'Restore MS Hosts file' button also comes up with an error.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running HostsXpert.exe by right clicking on it and selecting Run As Administrator.

    If that does not work, just continue on with the rest of the instructions anyway.
     
  8. x0pticLukeZz

    x0pticLukeZz Private E-2

    HostsXpert.exe still wouldn't work even running as administrator.

    Avenger rebooted my PC but didn't create avenger.txt anywhere nor show me a file on reboot... the closest thing I could find is the attached ozvxqu.txt

    I didn't download ATF Cleaner because it says it's for Windows XP or 2000 and I'm running Windows 7.

    Everything else seemed to go fine, I got the success message from fixme.reg and MGlogs.zip is attached.

    Still getting redirected I'm afraid and browsing still doesn't seem as fast as it should be.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Of course. That's because the fix with Avenger failed. It did not fix anything at all.

    Please try the same procedure again ( ignore ATF Cleaner ) after booting into safe mode. Also whether Avenger works properly or fails again, after the reboot from it, boot into safe mode a second time and see if ComboFix will run.

    Instead of ATF Cleaner, use CCleaner. Download and install CCleaner
    • Now run Ccleaner with the default options (that means don’t change anything) to clean out temporary files.
    • Only use the default settings on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
     
    Last edited: Feb 8, 2012
  10. x0pticLukeZz

    x0pticLukeZz Private E-2

    Avenger, ComboFix and HostsXpert wouldn't work but I ran CCleaner successfully.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\Users\Luke\AppData\Local\Temp\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    C:\Users\Luke\AppData\Local\Temp\~!#E12E.tmp
    C:\ProgramData\7sS2lmg0.dat
    C:\Windows\TEMP\hki1143.exe
    C:\Windows\TEMP\hki1264.exe
    C:\Windows\System32\drivers\ibif.sys
    C:\Windows\System32\drivers\kpfvc.sys
    C:\Windows\SysWOW64\drivers\ibif.sys
    C:\Windows\SysWOW64\drivers\kpfvc.sys
    C:\Windows\System32\fv08j7LFs.com
    C:\Windows\SysWOW64\fv08j7LFs.com_
    C:\Windows\assembly\temp\@
    C:\Windows\assembly\temp\cfg.ini
    C:\Windows\assembly\temp\oemid
    C:\Windows\assembly\temp\version
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Users\Luke\AppData\Roaming\Microsoft\Windows\Templates\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    C:\ProgramData\7sS2lmg0.dat
    C:\ProgramData\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    c:\windows\Tasks\At*.job
    C:\Windows\assembly\temp\U
    C:\Users\Luke\AppData\Local\Temp\{0450AB7E-6644-45F5-BCD3-4BFF4E14B7D7}
    C:\Users\Luke\AppData\Local\Temp\{6C1D6858-40B5-48C5-90DE-DC46042DFBEE}
    C:\Users\Luke\AppData\Local\Temp\{9f11ca77-519a-44ec-9fa3-684e0d51a701}
    C:\Users\Luke\AppData\Local\Temp\{A38D7227-150B-45CD-898D-9C36603054ED}
    C:\Users\Luke\AppData\Local\Temp\{D6D1FF1C-E7BB-4980-B55F-C57955F2FF9F}
    C:\combofix
    C:\Users\Luke\Desktop\avenger.exe
    C:\avenger
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    C:\Windows\SysNative\drivers\etc\hosts
    ipconfig /flushdns /c
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    
    
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
     
  12. x0pticLukeZz

    x0pticLukeZz Private E-2

    Here are the logs
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that fix removed a bunch of issues but it did not fix everything it said it fixed. There is still an underlying infection from Zero Access and you hosts file is still locked. We need to collect some additional info especially since we cannot get ComboFix and Avenger to run properly.

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      drivers32 
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      C:\Windows\SysNative\drivers\etc\hosts
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %SYSTEMROOT%\AppPatch\*.exe
      %SYSTEMROOT%\inf\*.exe
      %SYSTEMROOT%\Installer\*.exe
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      %PROGRAMFILES%\*.*
      %APPDATA%\Update\*.*
      %PROGRAMFILES%\Common Files\*.*
      %PROGRAMFILES%\Microsoft\*.*
      %ProgramFiles%\Microsoft Common\*.*
      %USERPROFILE%\My Documents\*.exe
      %USERPROFILE%\*.exe
      dir /b "%systemroot%\system32\*.exe" | find /i " " /c
      dir /b "%systemroot%\*.exe" | find /i " " /c
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      hklm\system\currentcontrolset\control\session manager\subsystems
      hklm\system\controlset001\control\session manager\subsystems
      hklm\system\controlset002\control\session manager\subsystems
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  14. x0pticLukeZz

    x0pticLukeZz Private E-2

    There you go
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shut down any protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    O1 HOSTS File: ([2012/02/02 18:57:26 | 000,001,401 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1       localhost
    O1 - Hosts: ::1             localhost
    O1 - Hosts: 109.163.226.208 [URL="http://www.google-analytics.com"]www.google-analytics.com[/URL].
    O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
    O1 - Hosts: 109.163.226.208 [URL="http://www.statcounter.com"]www.statcounter.com[/URL].
    O1 - Hosts: 67.215.245.19 [URL="http://www.google-analytics.com"]www.google-analytics.com[/URL].
    O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    O1 - Hosts: 67.215.245.19 [URL="http://www.statcounter.com"]www.statcounter.com[/URL].
    O3:[B]64bit:[/B] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-3666389844-4192593307-1049294338-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
     
    :Files
    C:\32788R22FWJFW
    C:\Users\Luke\Desktop\ComboFix.exe
    C:\Windows\SysNative\dds_trash_log.cmd
    C:\Windows\SysNative\drivers\etc\hosts
    C:\Users\Luke\AppData\Local\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    C:\Users\Luke\AppData\Local\Wmerazozahu.dat
    C:\Users\Luke\AppData\Local\Mkope.bin
    C:\ozvxqu.txt
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    dir C:\Users\Luke\AppData\Local\{B9C525E4-A8F0-43A7-B75B-817CF53121F5}
    dir C:\Users\Luke\AppData\Local\{AE3ADCAF-2EC2-46B1-8CD5-5758E0E6515C}
    dir C:\Users\Luke\AppData\Local\{69175AF6-B3BD-45FE-9F0D-C658E0702076}
    dir C:\Users\Luke\AppData\Local\{0D4A0BF8-5E12-45FA-B89F-A76922F0CD0A}
    dir C:\Users\Luke\AppData\Local\{2460E979-308D-4290-ACB1-2E1CFC6C625B}
    dir C:\Users\Luke\AppData\Local\{F6510A6D-2EE1-4C62-B4AA-D595BB42E540}
    dir C:\Users\Luke\AppData\Local\{7835F9DD-A555-4387-AA33-AF1ABC52E645}
    dir C:\Users\Luke\AppData\Local\{680F13F5-85F7-4482-B651-990175CDB7B8}
    dir C:\Users\Luke\AppData\Local\{D68218B9-E71B-4771-B6DA-4DB3F0E377BF}
    dir C:\Users\Luke\AppData\Local\{9C7781B4-4A7D-4F6C-828B-74B46B54C544}
    dir C:\Users\Luke\AppData\Local\{2B6CE598-E4E1-4328-9797-FD0FD466A64F}
    dir C:\Users\Luke\AppData\Local\{94BCC2A7-4E48-4839-9401-70C035726F75}
    dir C:\Users\Luke\AppData\Local\{07F79CC6-2A4F-483C-A0CA-6AA53E1AEC65}
    dir C:\Users\Luke\AppData\Local\{15AB81C5-6E28-4766-886F-10C1FB9F411E}
    dir C:\Users\Luke\AppData\Local\{0F4A50D2-7811-43AF-81EB-3568D13545B3}
    dir C:\Users\Luke\AppData\Local\{588B208C-F35A-49FA-81F3-B2DD07417F11}
    dir C:\Users\Luke\AppData\Local\{4E4D25E5-F35F-407E-BB39-0CA3CF71A29E}
    dir C:\Users\Luke\AppData\Local\{6AE6C089-2E10-4FBB-8843-A0E144A5B323}
    dir C:\Users\Luke\AppData\Local\{94CAC925-B8E1-490B-BA2B-BACB0C976E0B}
    dir C:\Users\Luke\AppData\Local\{3F2E92B1-8594-4735-8632-543A08A1DF60}
    dir C:\Users\Luke\AppData\Local\{9174E309-D316-42CB-8C31-72191936C16A}
    dir C:\Users\Luke\AppData\Local\{876083C9-66A5-4659-AE24-4F4FCE4BFEB1}
    dir C:\Users\Luke\AppData\Local\{81BF74B3-9151-48D9-8B0C-B92FCEDA3550}
    dir C:\Users\Luke\AppData\Local\{95B335A5-9FD3-4A18-ABA0-371B8067D626}
    dir C:\Users\Luke\AppData\Local\{645C6725-6836-40E0-8208-29F64411B370}
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
    "Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
    79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
    74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
    72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
    36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
    54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
    62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
    73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
    6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
    73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
    66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
    00
    [HKEY_LOCAL_MACHINE\system\controlset001\control\session manager\subsystems]
    "Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
    79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
    74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
    72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
    36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
    54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
    62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
    73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
    6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
    73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
    66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
    00
    [HKEY_LOCAL_MACHINE\system\controlset002\control\session manager\subsystems]
    "Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
    79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
    74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
    72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
    36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
    54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
    62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
    73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
    6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
    73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
    66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
    00 
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  16. x0pticLukeZz

    x0pticLukeZz Private E-2

    OTL pops up with the error "Cannot create file C:\Windows\System32\drivers\etc\Hosts." as soon as I click Run Fix. It then just hangs on the next step of the fix, doesn't go any further.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hold down the Windows logo key and press the 'e' key to bring up Windows Explorer.
    Paste the below into the Address bar ( or navigate to the folder manually ) and press enter

    C:\Windows\System32\drivers\etc

    In the right window pane of Win Explorer, right click on the hosts file and select Properties. Then click the Security tab. What user names do you see in the Group or user names: box?
     
  18. x0pticLukeZz

    x0pticLukeZz Private E-2

    There's only an 'Authenticated Users' group.. seems a bit odd, there are usually a few different ones
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so click on the Authenticated Users group and then in the lower part of the form which has the title Permissions for Authenticated Users what do you see for for permissions in the Allow column? That is which of the below have check marks in the Allow column?

    Full control
    Modify
    Read & execute
    Read
    Write
    Special permissions
     
  20. x0pticLukeZz

    x0pticLukeZz Private E-2

    Read only
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds