Can't fix hosts file

[cauzomb]

Thanks for the update.. Regarding your bootloader menu.. It's not the usual bootloader

the NoExecute=OptOut

The default value. OptIn Limits DEP to Windows system binaries. This may be why you can't change this system file with Anything.

edit, also, unless you are asking windows to load the safe mode boot menu, you don't need the CMDCONs entry. I don't know what to say other than there's something on your computer blocking access to the hosts file..

Have a look at this section at mvps.org, http://www.mvps.org/winhelp2002/hostsfaq.htm#Locking

[ryan85]

Hmm so is there something i should do about the bootloader menu?

I read the link but that seems limited to ZoneAlarm, are we at the end of the road?

[cauzomb]

Try disconnecting from the internet, unplug/turn off the wireless router if you have wireless/ uninstall comodo and windows defender, then I think if you set msconfig back to normal startup, then use the f8 key to load in safemode, try to rename the hosts file from hosts to hosts.bac or hosts.old. Default location is windows/system32/driver/etc folder.. Then run hostxpert and see if it works or not.. If you still get the error cannot create hosts file.. There is another option.. Boot in safemode, put your windows installation CD in the CD/DVDROM drive, if it opens up a setup screen just close this, leave the windows installation disc in the CD/DVDROM drive, then open start|run and type sfc /scannow (then click ok) the sfc scannow option will compare the system files on the C drive to the files on the CD/DVDROM and replace any that don't match. If your installation disc is not sp3, you may have to uninstall service pack 3 in order to use the sfc /scannow command..

Once this is done, you should restart, then re-install ONE firewall application and ONE anti-virus/malware application that does not have a built in firewall.

[cauzomb]

If the first set of suggestions in the previous post, regarding uninstalling your current anti-virus/anti-malware applications, including windows defender don't work. there is another application that we can use to help you clean/fix the issue.. Hold off on the sfc /scannow suggestion..

The other application is called ComboFix, it requires specific instructions to run and someone to read the log and create the cleaning batch file.. I havn't used it myself but I think JHolland1964, knows how to make the script file.

[ryan85]

Alright the first option worked..somewhat. I unistalled both Comodo and Defender. In safe mode i renamed the file created a new one with hostexpert. I then replaced it with the hosts file from mvps-hopefully you recommend that. However I cannot delete the old, now, hosts.bac - is that a problem?

Also is comodo pro and defender good or what free ware set up would you recommend?

Thanks a lot!

[ryan85]

This may not be related but was on the original post i cant see the character (numbers/letter) in the image on the search page for this forum and other forums.

[cauzomb]

It could be a security setting in your browser, you may have to add the sites to the trusted zone and allow scripts/cookies for trusted sites.

The way to delete the old file: as follows; If your version of windows is "home" you need to restart in safe mode and log in as the administrator.. If it is windows xp pro, you don't need to restart in safe mode, but you need to open start | settings | control panel | folder options | view, then scroll down the view options to "use simple file sharing" and uncheck it... click ok and viola... I recomend that if you have this option to leave it unchecked..

I am uncertain if this method applies to windows xp media center edition.

You can access/delete the file by taking ownership.

link

To take ownership of a file, follow these steps:
Right-click the file that you want to take ownership of, and then click Properties.
Click the Security tab, and then click OK on the Security message (if one appears).
Click Advanced, and then click the Owner tab.
In the Name list, click Administrator, or click the Administrators group, and then click OK.

The administrator or the administrators group now owns the file.
To change the permissions on the file that you now own, follow these steps:
Click Add.
In the Enter the object names to select (examples) list, type the user or group account that you want to have access to the file. For example, type Administrator.
Click OK.
In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
When you are finished assigning permissions, click OK.
You can now access the file.

For permissions, I would recommend that you deny system permissions, and grant full control to the administrator

[cauzomb]

In regards to which applications are good, Malwarebytes anti-malware "mbam" is good, if it is kept up to date and run once n a while.. there are some other anti-malware applications that provide "protection" such as adawareSE or super anti-spyware, or spyware blaster. Then the built in windows firewall, at the minimum, or some other free firewall application. You want to get one that can report outgoing connections, prompt you to either allow, or deny the application permission to send information out on the network.... I have used zone alarm free firewall in the past, with a different OS, but I think; or it is my speculation that, it is lacking in security/privacy, updates may lend to worse privacy/security...

If you want to find what other people are using, I'd suggest searching through google for free firewall reviews from well known tech/help or security related websites. I think some of the comercial companies, that have fee based products, have to put the lotion on their skin, in order for them to be a for profit comercial entity, in this organization//


I'm thinking that you still have some little issues, so I am going to recommend that you follow the instructions for running ComboFix, "when you get the instructions" and then attach the CombFixlog.

[jholland1964]

BEFORE running Combofix, I think other steps should be taken. Combofix is a pretty drastic program to begin with. Start with these steps, post the logs, then do a new HJT scan and post that log and then it can be decided if Combofix is needed, right now? I would say no.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer


Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

• You will need to use Internet Explorer to to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Again, Reboot the computer.

Run a new HiJackThis scan and save the log. Post back here with the logs in this order;
MBA-M log, ESET log, and the HJT log.
I'll take a look at all.
Judy

[ryan85]

Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3

9/3/2009 3:20:23 AM
mbam-log-2009-09-03 (03-20-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168707
Time elapsed: 29 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=4b8a8c955132fd4d862f202e4471aa96
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-03 09:30:22
# local_time=2009-09-03 04:30:22 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=64767
# found=0
# cleaned=0
# scan_time=2284





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:55 AM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\antivirus\jackT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Internet Connection Wizard Setup Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [toscdspd] TOSCDSPD.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8258AADA-EC4D-4A6B-B39A-537A0185E6B3}: NameServer = 207.7.4.67,207.7.4.66
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 3948 bytes