System Restore

Figment

katies_mum wrote: »

Hi have run HijackThis and before it started it say - from some reason system denied write access to the host file - if any hijacked domains are in theis file hijack may not be able to fix this.

I have run it and got a big list, pressed analyze this

katies_mum wrote: »

Hi
It won`t work, I can`t open it or get it to work..got the error message the same as post 24. Maybe I should just get rid of everything and start again? then things might run properly. I can`t believe how rubbish this desktop is lately... Don`t suppose I`ve got much to loose apart from the time to get everything I need re-installed. Any suggestions to try anything else first?

Hope you had a nice meal.

That's a normal message from HiJackThis, and it's safe to ignore the message and continue. If HJT finds any problems in the file it will not be able to fix them for you, you would have to do so manually

Prior to Windows 7, the hosts file was writeable and was a common target for spyware/Malware as they could make changes to the host file to redirect you to websites of their choice.
In Windows 7, Microsoft did the wise thing and (finally) made it read only.

katies_mum

Figment, sorry but I don`t understand what you mean!! couldn`t see any way to get into HiJackThis when I tried it..now I`m more confused, sorry!

Figment

When you ran hijackthis (HJT), you saw this message:


This is just a status message from HJT letting you know it cannot make changes to the host file if it finds anything wrong in it. The 'For some reason' is because the file is read only.

Just click on OK, the scan will continue. It may look like it's stalled so be patient until it has finished scanning your system.

Note: "Analyse this" only shows you more info on the selected item(s), it doesn't fix anything.

In summary, the recommended steps are:

Run HJT
Choose "Do a System Scan and Save a Log File".
Send/show log file to someone who knows what to look for
Close HJT until they reply
Re-run HJT (Scan only) and follow their instructions.

WARNING: HJT is a very powerful program, but it doesn't discriminate between good and bad - you (or someone else) has to make the decisions of what stays and what goes. Make the wrong decision and you could do more harm than good. Therefore if you're unsure, seek advice.

waddler_8

Windows x64 6.1.7600

HijackThis doesn't work properly on x64 systems.

katies_mum

Thanks for explaining it, yes my system is 64bit.

waddler_8

katies_mum wrote: »

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-22 09:42:33

---

09:42:33.110 OS Version: Windows x64 6.1.7600
09:42:33.110 Number of processors: 4 586 0x2505
09:42:33.112 ComputerName: HELEN-HP UserName: Helen
09:42:38.236 Initialize success
09:42:38.411 AVAST engine defs: 12012101
09:42:46.471 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:42:46.473 Disk 0 Vendor: ST375052 HP35 Size: 715404MB BusType: 3
09:42:46.484 Disk 0 MBR read successfully
09:42:46.486 Disk 0 MBR scan
09:42:46.489 Disk 0 unknown MBR code
09:42:46.493 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:42:46.496 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 702339 MB offset 206848
09:42:46.519 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12963 MB offset 1438597120
09:42:46.522 Service scanning
09:42:48.111 Modules scanning
09:42:48.115 Disk 0 trace - called modules:
09:42:48.122 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
09:42:48.126 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004965060]
09:42:48.131 3 CLASSPNP.SYS[fffff88001a2a43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004637050]
09:42:49.532 AVAST engine scan C:\Windows
09:42:51.030 AVAST engine scan C:\Windows\system32
09:43:46.946 AVAST engine scan C:\Windows\system32\drivers
09:43:53.275 AVAST engine scan C:\Users\Helen
09:45:31.489 Disk 0 MBR has been saved successfully to "C:\Users\Helen\Documents\MBR.dat"
09:45:31.494 The log file has been saved successfully to "C:\Users\Helen\Documents\aswMBR.txt"

After the scan

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-22 09:51:05

---

09:51:05.574 OS Version: Windows x64 6.1.7600
09:51:05.574 Number of processors: 4 586 0x2505
09:51:05.575 ComputerName: HELEN-HP UserName: Helen
09:51:08.966 Initialize success
09:51:09.035 AVAST engine defs: 12012101
09:51:59.506 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:51:59.507 Disk 0 Vendor: ST375052 HP35 Size: 715404MB BusType: 3
09:51:59.544 Disk 0 MBR read successfully
09:51:59.547 Disk 0 MBR scan
09:51:59.549 Disk 0 Windows 7 default MBR code
09:51:59.571 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:51:59.580 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 702339 MB offset 206848
09:51:59.605 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12963 MB offset 1438597120
09:51:59.619 Service scanning
09:52:00.613 Modules scanning
09:52:00.618 Disk 0 trace - called modules:
09:52:00.640 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
09:52:00.643 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004965060]
09:52:00.647 3 CLASSPNP.SYS[fffff88001a2a43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004637050]
09:52:04.558 AVAST engine scan C:\Windows
09:52:30.285 AVAST engine scan C:\Windows\system32
09:53:29.952 AVAST engine scan C:\Windows\system32\drivers
09:53:36.704 AVAST engine scan C:\Users\Helen
10:01:57.509 AVAST engine scan C:\ProgramData
10:02:56.538 Scan finished successfully
10:05:50.028 Disk 0 MBR has been saved successfully to "C:\Users\Helen\Documents\MBR.dat"
10:05:50.032 The log file has been saved successfully to "C:\Users\Helen\Documents\aswMBR (2).txt"

You didn't click FIXMBR after the first scan did you?

katies_mum

Oops! I thought I had.

waddler_8

It looks like you have - you shouldn't have really.

An unknown MBR just means it could have had a custom HP MBR.

waddler_8

waddler_8 wrote: »

It looks like you have - you shouldn't have really.

An unknown MBR just means it could have had a custom HP MBR.

09:51:59.571 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
09:51:59.580 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 702339 MB offset 206848
09:51:59.605 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12963 MB offset 1438597120

I believe that's your HP Recovery Partition. Your Custom HP MBR will have given you access to it via pressing the correct function key (F11) at boot up.

If so, that option has now gone due to running the FIXMBR command and a default Windows 7 MBR being wrote.

katies_mum

I am grateful for you trying to explain this to me, but to be honest I havn`t got a clue what it all means! I am such rubbish at all of this. With you saying I have done something to myHP Recovery Partition is this the reason it won`t let me ... go back a few days to sort it out.

When I reboot it all back to factory whatever, will I get everything back I should have? thanks