Questions

How to repair hijacked "Hosts" file

+
0 Votes
Locked

How to repair hijacked "Hosts" file

rubmop
I have a stand alone client that has been hijacked my malware that redirects or prevents from entering a search site and it has altered the Hosts file and is preventing programs such as Spybot, Malwarbytes, et al from working as they apparently need access to this file(s) to work. I see many fixes for this, some contradictory and counterintuitive but no clear consensus. Does anyone have experience in this area or can point me in the right direction? There are many claims out there that ultimately do not work.
  • +
    0 Votes
    Slayer_

    The fact that anti malware can't run is concerning.

    To fix your hosts file, just open it up and change its entries.

    run this command
    notepad.exe "C:\windows\system32\drivers\etc\hosts"

    The only entry that it should have is
    127.0.0.1 localhost


    After you save, make the file readonly

    +
    0 Votes
    TheEvilAdmin

    once this is done reboot in safemode and then flush the DNS (ipconfig /flushdns from the cmd prompt). I would also delete all of the temporary files and run a program called ATF cleaner before attempting to reinstall anti-malware/virus scanner. with the computer being in safe mode malwarebytes/spybot should run. you might also want to disable anything you don't recognize in the msconfig > startup tab.

    +
    0 Votes
    rubmop

    ...when prompted for the removal of found malware, they are presented with "C:\windows\system32\drivers\etc\hosts" Access Denied, and the program won't do the repair. It will be later before I can contact them to see what the file includes.

    +
    0 Votes
    Slayer_

    It probably got marked as read only or its permissions got changed. Both can be checked in safe mode.

    +
    0 Votes
    ---TK---

    If you (not sinisterslay), end up spending more than 4-6 hours on this. I would suggest have him bring in his PC, back up his data and reinstall the OS, and put his data back on. It will probably be quicker, and that will guarentee the virus/trojan/X is gone!

    +
    0 Votes
    rubmop

    Thanks for your insight. Will post solution.

    +
    0 Votes
    Lost Cause?

    I was fighting a virus on an XP machine. One of my tries at removing the virus was to run Hijack This. Hijack This showed me I had a HOSTS file Hijack. It then gave an error about not being able to access the HOSTS file. It then tells you what to do to fix the HOSTS file. It WILL NOT fix the HOSTS file.

    The fix:
    Boot from your original Windows XP cd. Enter MMC. Change attributes on HOSTS file. Remove Read Only and Hideden attributes. Then Delete the HOSTS file. Reboot. Voila! HOSTS file is OK!

    +
    0 Votes
    CG IT

    why have the host file check box checked? for that matter why have NetBIOS over TCP/IP enabled.

    W2K and above OSs can work on a pure TCP/IP network so you don't need a hosts file or NetBIOS over TCP/IP.

    Uncheck the box, disable NetBIOS over TCP/IP.

  • +
    0 Votes
    Slayer_

    The fact that anti malware can't run is concerning.

    To fix your hosts file, just open it up and change its entries.

    run this command
    notepad.exe "C:\windows\system32\drivers\etc\hosts"

    The only entry that it should have is
    127.0.0.1 localhost


    After you save, make the file readonly

    +
    0 Votes
    TheEvilAdmin

    once this is done reboot in safemode and then flush the DNS (ipconfig /flushdns from the cmd prompt). I would also delete all of the temporary files and run a program called ATF cleaner before attempting to reinstall anti-malware/virus scanner. with the computer being in safe mode malwarebytes/spybot should run. you might also want to disable anything you don't recognize in the msconfig > startup tab.

    +
    0 Votes
    rubmop

    ...when prompted for the removal of found malware, they are presented with "C:\windows\system32\drivers\etc\hosts" Access Denied, and the program won't do the repair. It will be later before I can contact them to see what the file includes.

    +
    0 Votes
    Slayer_

    It probably got marked as read only or its permissions got changed. Both can be checked in safe mode.

    +
    0 Votes
    ---TK---

    If you (not sinisterslay), end up spending more than 4-6 hours on this. I would suggest have him bring in his PC, back up his data and reinstall the OS, and put his data back on. It will probably be quicker, and that will guarentee the virus/trojan/X is gone!

    +
    0 Votes
    rubmop

    Thanks for your insight. Will post solution.

    +
    0 Votes
    Lost Cause?

    I was fighting a virus on an XP machine. One of my tries at removing the virus was to run Hijack This. Hijack This showed me I had a HOSTS file Hijack. It then gave an error about not being able to access the HOSTS file. It then tells you what to do to fix the HOSTS file. It WILL NOT fix the HOSTS file.

    The fix:
    Boot from your original Windows XP cd. Enter MMC. Change attributes on HOSTS file. Remove Read Only and Hideden attributes. Then Delete the HOSTS file. Reboot. Voila! HOSTS file is OK!

    +
    0 Votes
    CG IT

    why have the host file check box checked? for that matter why have NetBIOS over TCP/IP enabled.

    W2K and above OSs can work on a pure TCP/IP network so you don't need a hosts file or NetBIOS over TCP/IP.

    Uncheck the box, disable NetBIOS over TCP/IP.