Jon Fleming Posted July 16, 2012 ID:571531 Share Posted July 16, 2012 This is a pretty weird one. A friend complained of popups and unexpected redirections. He has Microsoft Security Essentials on Win7 Home Premium x64, and it's up to date. So I installed MBAM and ran a quick scan. It found nothing. I found that his IE popup blocker was off and turned it on. Then I ran HijackThis. HJT warned me that it couldn't write to the Hosts file, and showed several redirects from the Hosts file. I found a Hosts file in C:\Windows\System32\Drivers\Etc. It was marked RHS and it was owned by Trusted Installer. I took ownership and removed the attributes. Opened it up and it was a perfectly normal Hosts file; just two entries for localhost (IPv4 and IPv6). I searched for Hosts from a 4NT command line, which allowed me to specify including files with any set of attributes. It found two on the C drive, one in the expected place and one deep down in the WInSxS folders. The second one is also a perfectly normal Hosts file with no redirects.But HJT still says it can't write to the Hosts file, and it shows those redirections. I confirmed that the redirections are active via ping and checking the DNS lookup on a free site.Where the heck is HJT finding this file? Do I have to run HJT under Process Monitor to find it?? Link to post Share on other sites More sharing options...
MrCharlie Posted July 16, 2012 ID:571630 Share Posted July 16, 2012 Welcome to the forum.Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller to your desktop.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 19, 2012 ID:572965 Share Posted July 19, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts