Host File Hijacked - Not cleaned up even after READ&RUN

Discussion in 'Malware Help (A Specialist Will Reply)' started by bvp, Sep 20, 2009.

  1. bvp

    bvp Private E-2

    Majorgeeks
    I think you guys are doing a great service.
    Please see if you can help me out.


    System Details:
    Windows XP running on Mac.

    Problem Description:
    For the past couple of days started getting a message that the system cannot write to my host file. When I ran hijackthis, it also displayed a message that it cannot edit the host file. But it returned with subsequent message that my host file is loaded with hijackings. I noticed apart from some spurious websites, there were entries for all google sites with the hijacker's ip address. Also had Windows PC defender malware loaded into my machine.

    Action taken:
    1. Somehow removed Windows PC Defender. (combination of deletion of files and registry updates)
    2. Host file hijacking remained.
    3. Followed all the steps detailed in READ&RUN ME FIRST
    4. It appeared Malware bytes removed whole bunch of hijacking.
    5. But a the end the problem still exists.
    6. When I go to google.com in browser, I could definitely identify the hijacker's site. In fact it says to google.ca even if I try to go to google.com.

    Here are the logs. Appreciate if you could help.
     

    Attached Files:

    bvp, Sep 20, 2009
    #1
  2. bvp

    bvp Private E-2

    Here is the MGlogs.zip
     

    Attached Files:

    bvp, Sep 20, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    When you ran the MGTools, did you not get a pop up for the license agreement to run HJT? It is missing in your log.

    Use windows explorer to find and delete:
    C:\Documents and Settings\All Users\Application Data\5AE60FC
    C:\Documents and Settings\Chitra\Local Settings\Temp\kL6wYtDY.exe.part

    Now please put Combofix on your desktop as instructed, not here:
    c:\documents and settings\Chitra\My Documents\Downloads\ComboFix.exe

    I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Make sure you agree to run HJT.

    Then attach the below logs:
    * C:\MGlogs.zip
     
    TimW, Sep 24, 2009
    #3
  4. bvp

    bvp Private E-2

    Again Did not get a pop up for HJT agreement.
    Logs attached
     

    Attached Files:

    Last edited: Sep 26, 2009
    bvp, Sep 26, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I see you have been using a hosts program. Have you cleaned out your hosts files?

    I am not seeing any malware, but you definitely need to run CCleaner and remove all your temp files.

    What issues are you still having?

    You are in desperate need of more RAM:
    Total Physical Memory 512.00 MB
    Available Physical Memory 47.37 MB
     
    TimW, Oct 2, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds