Found all these entries in host file

[thedoc46]

Not my comp but that of my boss. Anyway, needless to say the hosts file is read only, but it won't allow me to un-hide or un-read only it.. Any idea's???

This is the command i normally use.. (XP Machine)

echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f
attrib -s -h -r "%WinDir%\system32\drivers\etc\hosts"



Here are the entries. and yes, pop-ups are appearing all over the place..
Ran malware bytes too... But to no avail, and this machine had Symantec Corporate AV running at the time it got infected.. Good that Symantec software !




127.0.0.1 localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
69.72.227.44 www.google.com
69.72.227.44 google.com
69.72.227.44 google.com.au
69.72.227.44 www.google.com.au
69.72.227.44 google.be
69.72.227.44 www.google.be
69.72.227.44 google.com.br
69.72.227.44 www.google.com.br
69.72.227.44 google.ca
69.72.227.44 www.google.ca
69.72.227.44 google.ch
69.72.227.44 www.google.ch
69.72.227.44 google.de
69.72.227.44 www.google.de
69.72.227.44 google.dk
69.72.227.44 www.google.dk
69.72.227.44 google.fr
69.72.227.44 www.google.fr
69.72.227.44 google.ie
69.72.227.44 www.google.ie
69.72.227.44 google.it
69.72.227.44 www.google.it
69.72.227.44 google.co.jp
69.72.227.44 www.google.co.jp
69.72.227.44 google.nl
69.72.227.44 www.google.nl
69.72.227.44 google.no
69.72.227.44 www.google.no
69.72.227.44 google.co.nz
69.72.227.44 www.google.co.nz
69.72.227.44 google.pl
69.72.227.44 www.google.pl
69.72.227.44 google.se
69.72.227.44 www.google.se
69.72.227.44 google.co.uk
69.72.227.44 www.google.co.uk
69.72.227.44 google.co.za
69.72.227.44 www.google.co.za
69.72.227.44 www.google-analytics.com
69.72.227.44 www.bing.com
69.72.227.44 search.yahoo.com
69.72.227.44 www.search.yahoo.com
69.72.227.44 uk.search.yahoo.com
69.72.227.44 ca.search.yahoo.com
69.72.227.44 de.search.yahoo.com
69.72.227.44 fr.search.yahoo.com
69.72.227.44 au.search.yahoo.com

 

[Angelos_n]

try deleting it in safe mode

 

[thedoc46]

try deleting it in safe mode

Tried that.. Actually I think I've tried everything !!! Even taken the drive out of the machine to put it in another machine... Its one of those micro SSD's though and I haven't got an adapter that'll fit it..

I NEED to be able to find a way to give myself access back to the hosts file then I'll be back in business.

How do I do that though?

 

[#Chri5#]

There's probably a (hidden) process running that is protecting the file - you might need to find that, nuke it and then you get access back.

 

[thedoc46]

There's probably a (hidden) process running that is protecting the file - you might need to find that, nuke it and then you get access back.

I think I've managed to fix it via malware bytes's very own File Assasin.

To all those party people doing a search for a similar problem..

 

[jake108]

That IP 69.72.227.44 looks very familiar to me:

This might help you:
http://forums.malwarebytes.org/index.php?showtopic=70212

It's a very very dodgy form of malware / adware / hijack all rolled into one. I swear I know that IP address from somewhere. Just cannot remember where.

*EDIT*

Try combofix

The IP address is hosted on FortressITX Hosting in the United States (known for their mass spamming), pretty sure this IP address was used for an unregulated proxy that caused A LOT of customers for various ISPS in the UK a nightmare. Looks like it's being used for malware now.

 

[J.B]

If only they released UAC to WinXP this might not of happened.