"Hosts" file locked

dlb · Oct 25, 2010

I've de-virused a PC -it's totally clean- but the attributes on the HOSTS file have been set by the malware so that I can't rename/change/delete it. I've tried from an elevated command prompt, I've tried from a PECD. I need to get rid of it or change it because it's re-routing all attempts to get to google to some rogue page, and we can't have that. I've even tried using the attrib command to change the attributes, and I'm denied each time.

motc7 · Oct 25, 2010

dlb said: ↑

I've de-virused a PC -it's totally clean- but the attributes on the HOSTS file have been set by the malware so that I can't rename/change/delete it. I've tried from a command prompt, I've tried from a PECD. I need to get rid of it or change it because it's re-routing all attempts to get to google to some rogue page, and we can't have that. I've even tried using the attrib command to change the attributes, and I'm denied each time.
Click to expand...

You cannot delete it with any type of program?

motc7 · Oct 25, 2010

dlb said: ↑

I've de-virused a PC -it's totally clean- but the attributes on the HOSTS file have been set by the malware so that I can't rename/change/delete it. I've tried from an elevated command prompt, I've tried from a PECD. I need to get rid of it or change it because it's re-routing all attempts to get to google to some rogue page, and we can't have that. I've even tried using the attrib command to change the attributes, and I'm denied each time.
Click to expand...

Just doing some searches on this, they are recommending Combofix...do it! :major

TimW · Oct 25, 2010

Please download HostsXpert and unzip it to your desktop, Do not run it yet.

Next.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.
Right-click then copy the following code, Do not include the word Code.
Code:
:Files
C:\WINDOWS\system32\drivers\etc\hosts

:Commands
[emptytemp]
[start explorer]
[Reboot]
Return to OTM, right-click then paste the code into the blank box below http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png

Next click on the largehttp://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Double click on HostsXpert.exe to launch the programme.

When prompted with:
HOSTS file does not exist, press OK to create HOSTS file, Cancel to quit.

Select OK.

Check to see if top button on left hand side says Make Writable?

If it does. click on it then proceed to next instruction.

If not, just proceed to next instruction

Click on Restore MS Hosts File to restore your Hosts file to its default condition

When prompted to confirm, click OK.

Click on the Download button (lower left hand side)

Click on MVPs Hosts... button.

Click on Replace button.

Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)

When finished.

Click on File Handling button.

Click on Make Read Only? to secure it against infection.

Exit the programme.

motc7 · Oct 25, 2010

Just out of curiosity, why go through all of this if Combofix would fix the problem and likely get rid of any leftover malware crap?

dlb · Oct 25, 2010

If it matters, the OS is X64 Windows7.....

motc7 said:

. . . why go through all of this if Combofix would fix the problem . . .
Click to expand...

That's a good question!

Thanks Tim! I'll give that a go here in a few minutes and let you know what happens.....
:-D

TimW · Oct 25, 2010

He is free to try doing it with Combo. Have at it.

EDIT: Combo won't run on your system.

motc7 · Oct 25, 2010

TimW said: ↑

EDIT: Combo won't run on your system.
Click to expand...

Why not?

dlb · Oct 25, 2010

:celebrate Problem solved! I tried one last thing: I booted to safe mode, right-clicked, chose "Properties" and selected the "Security" tab and messed around with the settings there, and was finally able to delete it, then I created a new "HOSTS" file.... but I've already saved a link to this thread for future use.

I think ComboFix is for X86 (32bit) Windows only.... right? :confused

TimW · Oct 25, 2010

dlb said: ↑

I think ComboFix is for X86 (32bit) Windows only.... right? :confused
Click to expand...

Right, it will not work on 64 bit systems.

motc7 · Oct 25, 2010

dlb said: ↑

:celebrate Problem solved! I tried one last thing: I booted to safe mode, right-clicked and selected the "Security" tab and messed around with the settings there, and was finally able to delete it.... but I've already saved a link to this thread for future use.

I think ComboFix is for X86 (32bit) Windows only.... right? :confused
Click to expand...

yeah, that will do! Good to hear you solved it in Safe Mode. Honestly wouldn't have thought that would have given you some leverage but whatever works!

Log in or Sign up

"Hosts" file locked

dlb MajorGeek

motc7 Vice Admiral (Starfleet)

motc7 Vice Admiral (Starfleet)

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

motc7 Vice Admiral (Starfleet)

dlb MajorGeek

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

motc7 Vice Admiral (Starfleet)

dlb MajorGeek

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

motc7 Vice Admiral (Starfleet)