error messages with windows defender, hosts file & microsoft essential

[stlette]

error messages with windows defender, hosts file & microsoft essential

Hi,
I can't open my hosts file. i want to block websites. when i right click on the hosts file to run as administrator i get http://postimg.org/image/m5pmiw45n/. I cant open windows defender. When i click on it i get error message
i can't install microsoft essentials. this just happened recently when i had a virus or malware that's removed now.

 

[Layback Bear]

This is the preferred way to post screen shots.

By Brink:
http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

 

[Layback Bear]

My post disappeared I will try again.

**What programs did you use to remove the infection?
**What infection was removed?
**Where did you get MSE from and how.

Make sure all other anti virus programs are uninstalled. They might block the installation of MSE.

Try this.

Start Orb and type in Defender.
Make sure Defender is off.
Reboot and try to install MSE.

Get MSE from here:

Microsoft Security Essentials - Microsoft Windows

At this time stay out of host files. Lets just get you MSE installed and worry about the rest later.

It might be that you have install a fake MSE. Please read this but do notheing until I can locate a expert.

http://www.geekzsupport.com/error-code-0x8004ff81-microsoft-security-essential-installation-failed/

http://answers.microsoft.com/en-us/...on-error/f05d5b19-b3a9-4b8a-86f5-412840298269

Keep us informed on results.

 

[stlette]

What programs did you use to remove the infection?

autoruns, process explorer, emi soft anti malware and an online anti virus scanner, house calls i think.

What infection was removed?

there were 2 or 3. 1 was wscript.exe

Where did you get MSE from and how.

the same place as ur link. how? i clicked on the link in ff.

Start Orb and type in Defender.
Make sure Defender is off.

defender is off. when i type in defender in the run box i get this error.

 

[stlette]

mse installed this time. i threat came up.

 

[stlette]

oh the file it detected was a copy of the hosts file from C:\WINDOWS\SYSTEM32\DRIVERS\ETC that i made a few days ago.

 

[stlette]

this is the error i get when trying to change the hosts file.

 

[Jacee]

Let's see if flushing the DNS cache and restoring MS Hosts file will help.


Copy and paste these lines in Note pad.


@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop.
Double click on the flush.bat file to run it. You may need to right click the .bat file and choose to run as Administrator.

 

[stlette]

Double click on the flush.bat file to run it. You may need to right click the .bat file and choose to run as Administrator.

Done. the pc restarted. i went to the windows\system32\drivers\etc folder and it's different. i don't see the hosts file that was there.

 

[Layback Bear]

stlette you are in the good hands of Jacee. She is a expert in such things.
Please continue following her instructions.

Thank you Jacee.

 

[stlette]

Appreciate all the help Layback Bear and Jacee. I was about to reinstall windows 7. haven't reinstall since i bought the pc over 3 years ago. haven't had a problem until now. i do have a may 2014 backup with shadow protect.

 

[andrew129260]

May I also suggest:

1.) Download herdprotect: (choose the portable version)

Download herdProtect - Free Anti-Malware Platform

2.) Run the scan.

3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

DO NOT REMOVE ANYTHING YET. I will advise if anything needs removed when I receive the log.

Attached Images

 

[stlette]

I ran the scan.
It's here https://copy.com/2iF7vjXfjnEdjTQ3.
It wouldn't let me paste it in the forum because there were too many characters.

 

[andrew129260]

Remove the following:

On each item click action-remove

After removing the below items, restart the pc. Then run a new herdprotect scan and post a new log. You should be able to upload it using the paperclip on the forum with no trouble as many others have. I also suggest deleting this folder: c:\users\jim\desktop\_ycaao5.shr

This program looks like a back door trojan.

If an item you want to keep is there, or if you think the detection is false tell me about it.

This is info for the detected object:

http://www.herdprotect.com/infixpro.exe-bbfcdb0805463b1ad23dce09cbc725edcc645050.aspx

File path: 		c:\users\jim\appdata\roaming\thinstall\infixpro 3.36\40000055800002i\infixpro.exe
Publisher: 		
MD5: 			24c217a10a96eaa3a0a9bee5215f6386
SHA-1: 			bbfcdb0805463b1ad23dce09cbc725edcc645050
Created: 		6/29/2014 7:55:08 PM
Detections: 		10

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\hypersnap.6.70.01\hypersnap_portable_6.70.01_en-de-fr-hu-pl-ru.paf.exe
Publisher: 		PortableAppZ.blogspot.com
MD5: 			add6f8939508c7771bb582ebd13c20a7
SHA-1: 			48c8c868b703b2c81355b146177c5503aaf0c14a
Created: 		8/30/2014 6:33:06 PM
Detections: 		13

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\ie8.portable\ie8.exe
Publisher: 		Microsoft Corporation
MD5: 			b5be2cf02d6aaa8f1321b66e0ba44cfa
SHA-1: 			9e42724110cf0397a52bc406a165f84bf1dbf2da
Created: 		8/30/2014 6:33:06 PM
Detections: 		26

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\your uninstaller! 2006 v5.0.0.335 (thinstalled).exe
Publisher: 		URSoft,Inc
MD5: 			6ef60de69848c8466740c1df33949170
SHA-1: 			ac15ae5676b8d25569ef7c934c5d6e60fee7576b
Created: 		8/30/2014 6:33:00 PM
Detections: 		5

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\vista-shutdowntimer.exe
Publisher: 		Flo
MD5: 			379949e6e2c03c4da74e7c40a9e187e2
SHA-1: 			ca1477a5deaface9f4d09aadc59df67d4a867384
Created: 		8/30/2014 6:33:00 PM
Detections: 		4

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\perfect uninstaller 6.3.3.2 portable.exe
Publisher: 		
MD5: 			af15f0981167fcd39099e2564f6082f9
SHA-1: 			69edcc830910d5a1655e1fdc9fb2e24fe5c231d8
Created: 		8/30/2014 6:33:00 PM
Detections: 		3

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\jv16 powertools 2009 v1.9.0.598 portable.exe
Publisher: 		
MD5: 			baf9c85274d2125070afe365a1d039e7
SHA-1: 			f67722057efa5ca4e4f7be9cd573468e96357515
Created: 		8/30/2014 6:33:00 PM
Detections: 		5

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\hjsplit.exe
Publisher: 		
MD5: 			8ae02e041e81cc74b539278169cade16
SHA-1: 			445669a2cdb90b08eec9149fc930c5ab681fac22
Created: 		8/30/2014 6:33:00 PM
Detections: 		5

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\amazing photo editor 5.6 portable.exe
Publisher: 		
MD5: 			81af0fb447bcc94fba32f5f7f11dfcca
SHA-1: 			dd50dc1608831e4b62b7e2d25d85954e6097515a
Created: 		8/30/2014 6:33:00 PM
Detections: 		3

File path: 		c:\users\jim\desktop\_ycaao5.shr\js4aalyqaacrbqaakk.shr\nxiaajreaac0dgaajc.shr\-uqa.shr\advanced uninstaller pro v9.6 portable.exe
Publisher: 		
MD5: 			838aa8e64deeb52a64d940539640299e
SHA-1: 			3665ebb2688eb66d50005a6a4c8448bb72a1fd2b
Created: 		8/30/2014 6:32:59 PM
Detections: 		6

Where did you get winrar from?

File path: 		c:\program files\winrar\winrar.exe
Publisher: 		Alexander Roshal
MD5: 			495891843cb0bd7cab70ae6b97ba0660
SHA-1: 			ff7511f39bef3d174f1678e5e90f13821733f99c
Created: 		11/8/2013 11:31:15 AM
Detections: 		4

 

[Jacee]

Please download AdwCleaner by Xplode and save to your Desktop.


Step 1.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Step 2.
Using AdwCleaner v3: Scan & Clean:
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder


******Post both .txt logs

 

[stlette]

It's bedtime. I'll follow the above 2 steps tomorrow.

 

[stlette]

i restarted the pc. here's the new herdprotect scan log.

I also suggest deleting this folder: c:\users\jim\desktop\_ycaao5.shr

It's deleted.
________________

Using AdwCleaner v3: Scan & Clean:

i can't run step 2 until i know if it's safe to delete the below files.
i ran adwcleaner.exe. these files are legit -
C:\Program Files (x86)\NCH Software
C:\ProgramData\NCH Software
these files i'm not sure about.
C:\END
C:\Windows\System32\roboot64.exe
C:\ProgramData\Device

 

[stlette]

here's the 2nd adwcleaner scan log.

 

[Jacee]

I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[Jacee]

Double click on the flush.bat file to run it. You may need to right click the .bat file and choose to run as Administrator.

Done. the pc restarted. i went to the windows\system32\drivers\etc folder and it's different. i don't see the hosts file that was there.

Copy/paste the Hosts.txt