Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492038 Share Posted December 8, 2021 Yes, something modified it. You can try a couple things. Open Windows Explorer file manager to that folder C:\WINDOWS\system32\drivers\etc Then check properties, Previous Versions and if found restore from there. If not, then you could do a System Restore which will put back the hosts file for you as well You could also use Shadow Explorer to possibly grab a copy of the file from a Restore Point https://www.shadowexplorer.com/ 1 Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492080 Share Posted December 8, 2021 For some reason, it seems that System restore is disabled: Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492138 Share Posted December 8, 2021 Okay, please run the Farbar program again for me. Click on Scan and make sure there is a check mark in the Addition.txt check box and attach back both logs. FRST.txt Addition.txt Thanks @sp123 1 Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492143 Share Posted December 8, 2021 (edited) Logs: FRST.txt Addition.txt Addition.txt Edited December 8, 2021 by sp123 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492154 Share Posted December 8, 2021 (edited) Please run it again with an account that has Admin rights. Edited December 8, 2021 by AdvancedSetup Updated information Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492155 Share Posted December 8, 2021 (edited) Done: Addition.txt FRST.txt @AdvancedSetup please delete your comment or edit it to remove my username Edited December 8, 2021 by sp123 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492162 Share Posted December 8, 2021 Highly recommend you change username or any other personal information that might be named on Windows. Using pseudonyms for all account information is highly recommended. Are you using Microsoft Teams? Are you using Microsoft OneDrive? Are you using Microsoft OneNote? Are you actually using HP Print Drivers from 2012? for a printer? HKLM\...\Print\Monitors\HP 5912 Status Monitor: C:\WINDOWS\system32\hpinksts5912LM.dll [331664 2012-06-18] (Hewlett Packard -> Hewlett-Packard Co.) HKLM\...\Print\Monitors\HP Discovery Port Monitor (HP Officejet Pro 8600): C:\WINDOWS\system32\HPDiscoPM5912.dll [741480 2012-10-17] (Hewlett Packard -> Hewlett-Packard Co.) Are you programming, or testing wampstackApache? What is this file? Was this computer attacked by some type of ransomware encryption attack before? C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.decrypted.txt C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.txt Your DNS Servers: 209.18.47.62 - 209.18.47.61 Please consider changing your default DNS server settings. Please choose one provider only DNS is what lets users connect to websites using domain names instead of IP addresses Google Public DNS: IPv4 8.8.8.8 and 8.8.4.4 IPv6 2001:4860:4860::8888 and 2001:4860:4860::8844 Cloudflare: IPv4 1.1.1.1 and 1.0.0.1 IPv6 2606:4700:4700::1111 and 2606:4700:4700::1001 OpenDNS: IPv4 208.67.222.222 and 208.67.220.220 IPv6 2620:119:35::35 and 2620:119:53::53 DNSWATCH: IPv4 84.200.69.80 and 84.200.70.40 IPv6 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b The Ultimate Guide to Changing Your DNS Serverhttps://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/ Here is a YouTube video on Changing DNS settings if needed Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492172 Share Posted December 8, 2021 9 minutes ago, AdvancedSetup said: Are you using Microsoft Teams? Yes - I have used it. Why? 9 minutes ago, AdvancedSetup said: Are you using Microsoft OneDrive? I was until it ran out of room :( 9 minutes ago, AdvancedSetup said: Are you using Microsoft OneNote? Not often. Why? 12 minutes ago, AdvancedSetup said: Are you actually using HP Print Drivers from 2012? for a printer? It's an old printer. I don't own the printer so it isn't my choice to get a new one 13 minutes ago, AdvancedSetup said: Are you programming, or testing wampstackApache? I have a local Bitnami sever on localhost 14 minutes ago, AdvancedSetup said: Your DNS Servers: 209.18.47.62 - 209.18.47.61 That seems like an error. It should be using this one - https://github.com/DandelionSprout/adfilt/tree/master/Dandelion Sprout's Official DNS Server 15 minutes ago, AdvancedSetup said: What is this file? Was this computer attacked by some type of ransomware encryption attack before? C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.decrypted.txt C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.txt Nope. I am a (not professional) malware analysis and that is a malware sample I was analyzing. The .decrypted version is the version I decrypted and deobfuscated. 17 minutes ago, AdvancedSetup said: Highly recommend you change username or any other personal information that might be named on Windows. Using pseudonyms for all account information is highly recommended. Sadly not sure how. I will look into this later Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492175 Share Posted December 8, 2021 Okay, no problem about all the software. Just wanted to verify because the majority of people asked don't seem to use these Microsoft applications but they start up every time and consume resources even if you don't use them. Please run the following FIX below Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492189 Share Posted December 8, 2021 (edited) Ran fix: Fixlog.txt Any idea what this is: 08.12.2021_17.28.29.zip Thank you for all your help! Whoops: Didn't run as admin. Should I rerun? Edited December 8, 2021 by sp123 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492196 Share Posted December 8, 2021 Yes, please run again with Admin rights I asked that the file be created for the zip so that I can review it. Thank you @sp123 1 Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492201 Share Posted December 8, 2021 (edited) New log: Fixlog.txt Thank you @AdvancedSetup Edited December 8, 2021 by sp123 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492202 Share Posted December 8, 2021 (edited) SystemRestore: On => completed Restore point was successfully created. Secure Boot Status: True You can now delete those zip files with the Date and Time as part of the name on your desktop. I no longer need them.https://www.virustotal.com/gui/file/48c18955d0bb46aaf2f95b31cd5f34478db9e3a25b7600bc3f1ddc43241c0a5e Can you please do the following? Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, place a checkmark on all of the Repair System entries. Then click on the Repair System button and allow it to run and restart the system. After the restart please do the following Run the MBST Support Tool again. In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete After the restart please do the following If you're using the paid version of Malwarebytes please activate and check for updates Run the MBST Support Tool one more time. In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to the All Users' desktop, please upload that file on your next reply Thank you Edited December 8, 2021 by AdvancedSetup Updated information 1 Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492203 Share Posted December 9, 2021 (edited) This error appeared up while running the system repair: Then it crashed and this appeared: Edited December 9, 2021 by sp123 Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492206 Share Posted December 9, 2021 It is late here. I will check in tomorrow in the morning (for my time zone anyway) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 9, 2021 Root Admin ID:1492207 Share Posted December 9, 2021 (edited) Please make sure all real-time antivirus protection from Windows Defender and Malwarebytes are both disabled when running the tool. We should have backups from Farbar, but no. If it gives an error and won't backup then don't proceed. Thank you Edited December 9, 2021 by AdvancedSetup Updated information Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492241 Share Posted December 9, 2021 (edited) Disabled MB and WD and re-ran: MB decided to start a scan right now, so maybe that caused an issue Edited December 9, 2021 by sp123 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 9, 2021 Root Admin ID:1492279 Share Posted December 9, 2021 Okay, let's not run the Repair. Not sure why your system is having issues with it but we don't want to cause any issues either. Go ahead though please and do the Clean Removal and reinstall so that you have a good, clean install of the latest version of Malwarebytes Then reboot, activate, check for updates and do a new Threat scan and post back that log. Then also run a new Farbar scan and post those logs back and let me know what issues if any you're still having. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 9, 2021 Root Admin ID:1492329 Share Posted December 9, 2021 One of the Dev's asked me to ask you if you had turned off Tamper Protection Please disable Tamper Protection and then exit out of Malwarebytes tray application Then disable Windows Defender real-time protection temporarily and see if you still get the same error from the MBST tool when trying to do the Repair Thanks @sp123 1 Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492330 Share Posted December 9, 2021 (edited) I am still working on the reinstall. This poped up: I never bought or had installed Malwarebytes Privacy - and the VPN I already have is paid by someone else so it's free-to-me. Should I install it or can I ignore? Just an irrelevant question: Why doesn't Malwarebytes have an online url scanner or integrate with VirusTotal? As BG is already free, I don't think this would allow people to steal it. Just would be helpful when checking if a website is detected without visiting it Edited December 9, 2021 by sp123 Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492334 Share Posted December 9, 2021 Nevermind - logs: mbst-grab-results.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 9, 2021 Root Admin ID:1492335 Share Posted December 9, 2021 You can click the X on the top-right to exit out of that installer. We're working on some changes to the MBST tool to account for that in the future. Thanks Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492336 Share Posted December 9, 2021 1 minute ago, AdvancedSetup said: You can click the X on the top-right to exit out of that installer. We're working on some changes to the MBST tool to account for that in the future. Done. Thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 9, 2021 Root Admin ID:1492337 Share Posted December 9, 2021 What day and time is it for you right now? 1 Link to post Share on other sites More sharing options...
sp123 Posted December 9, 2021 Author ID:1492338 Share Posted December 9, 2021 22 minutes ago, AdvancedSetup said: One of the Dev's asked me to ask you if you had turned off Tamper Protection WD or MB? I can't find MB's tamper protection, and Windows Defender was disabled by Malwarebytes when it install it's self. Link to post Share on other sites More sharing options...
Recommended Posts