Can't delete corrupt C:\WINDOWS\system32\drivers\etc\hosts file

[neil]

OS XP... I had a virus that redirected yahoo, Google, etc to another web
site. Ran a scan and eliminated the virus. The
C:\WINDOWS\system32\drivers\etc\hosts file was not visible when opening the
etc folder. I tried to create a new hosts file and was stopped by an error
that said the file already existed. I opened the etc\hosts file in the dos
window and listed its contents. It was filled with yahoo / Google redirects.
I tried to delete it with the dos command and was stopped by an error that
said I didn't have permission... I was logged on as an administrator.

Question should I boot up in protected mode and try to delete? If that
doesn't work should I go into the registry????

Thanks,
Neil

 

[db]

try using "hijack this" and look
at the report.

the top line entries will pertain
to browser and will show any
links that are redirecting your
browser.


--
db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- @Hotmail.com
- nntp Postologist
~ "share the nirvana" - dbZen

~~~~~~~~~~~~~~~

 

[John John - MVP]

OS XP... I had a virus that redirected yahoo, Google, etc to another web
site. Ran a scan and eliminated the virus. The
C:\WINDOWS\system32\drivers\etc\hosts file was not visible when opening the
etc folder. I tried to create a new hosts file and was stopped by an error
that said the file already existed. I opened the etc\hosts file in the dos
window and listed its contents. It was filled with yahoo / Google redirects.
I tried to delete it with the dos command and was stopped by an error that
said I didn't have permission... I was logged on as an administrator.

Question should I boot up in protected mode and try to delete? If that
doesn't work should I go into the registry????

This has nothing to do with the registry. Your permissions on the file
have simply been revoked or you have been explicitly denied permission
to the file.

Try granting yourself full control on the file. At the command prompt
issue these commands and see if things change:

cacls C:\WINDOWS\system32\drivers\etc\hosts /E /G Administrators:F
cacls C:\WINDOWS\system32\drivers\etc\hosts /E /G "Your User Name":F

If you have spaces in your user name you must use the "quotation marks"

John

 

[Rey Santos]

Hosts File FAQ
http://www.mvps.org/winhelp2002/hostsfaq.htm#Editor

 

[Jose]

OS XP...  I had a virus that redirected yahoo, Google, etc to another web
site.  Ran a scan and eliminated the virus.  The  
C:\WINDOWS\system32\drivers\etc\hosts file was not visible when opening the
etc folder.  I tried to create a new hosts file and was stopped by an error
that said the file already existed.  I opened the etc\hosts file in thedos
window and listed its contents.  It was filled with yahoo / Google redirects.
 I tried to delete it with the dos command and was stopped by an error that
said I didn't have permission...  I was logged on as an administrator.  

Question should I boot up in protected mode and try to delete?  If that
doesn't work should I go into the registry????

Thanks,
Neil

None of the above and you don't need to waste time "trying" anything.
Fix it.

The hosts file is a read only, hidden system file. It is just a text
file that you can manipulate
with WordPad, Notepad or any text editor. Before modifying the hosts
file, make a copy of the current one
in case you need to restore the original.

Some third party software scanning tools will add entries to the hosts
file on purpose to block your browser
from loading certain WWW sites entirely or block advertisements from
certain WWW sites that the software knows
about that contains ads or the software thinks are inappropriate. You
can remove entries in the hosts file
by hand if desired.

Malicious software can also add entries to the host file to redirect
your browser to some other WWW site than
the one you really want to visit. For example, if you try to browse
to www.google.com, you may end up on
some WWW site that is inappropriate or just an advertisement for a
product you never heard of and don't
want. Until you fix the hosts file, your browser will always be
redirected.

If your hosts file has been manipulated by malicious software, editing
the hosts file will not remove the
malicious software. You will still need to scan your system with
software tools to be sure the malicious
software is entirely gone.

Malicious software scanning tools may also remove the malicious
software and leave the bad entries in the hosts
file. The scanning tools cannot tell if entries in the hosts file
were made on purpose or by malicious software
so you still may need to edit the hosts file by hand if browser
redirection occurs after the malicious software
has been removed.

Some scanning tools will report modifications to the hosts file as
suspicious and allow you to review the changes
and let you decide if the changes are appropriate or not and take
action.

A hosts file is not required for your browser to function. If you
suspect an issue with the hosts file you
can rename the hosts file and test your browsing without it.

Always reboot your system and test browsing after making any changes
to the hosts file.

To manipulate the hosts file, you must make hidden files unhidden and
remove the Read Only attribute.

In Explorer, navigate to c:\windows\system32\drivers\etc

Click Tools. Folder Options, View. In Advanced Settings, enable
(tick) the radio button for:

Show hidden files and folders

Click OK.

The hosts file has no extension but some system files do and it may be
helpful to also see the file extensions
for all the files. While you are adjusting folder View options, make
file extensions visible.

Click Tools, Folder Options, View. In Advanced Settings, put a check
mark (tick) in the box:

Hide extensions for known file types

Click OK.

Now the hosts file should be visible.

Make a copy of the current hosts file and name the copy appropriately
so you can find it later and undo
any changes if the changes do not work or things get worse.

Remove the Read-only attribute:

Right click the hosts file, Properties, uncheck the box that says:

Read-only

Click OK.

Now you can edit the hosts file with any text editor. Be sure to save
the hosts file after making any changes.

You will have to decide what is appropriate for your hosts file. The
default hosts file only has one entry (and a lot of comments) so if
you suspect the hosts file is part of your issue, you can delete
everything but the default entry and save the file.

Always reboot your system and test browsing after making any changes
to the hosts file.

You should make the hosts file Read-only again when you are finished
making changes. Obviously some programs
or malicious software do not pay attention to the attributes of a Read-
only file, but it is good practice for
the hosts file to be Read-only.

If desired, reverse the Explorer changes to hide system files and
extensions for known file types.

If you feel your hosts file is beyond repair, replace the contents
with the Windows default values.

The default hosts file for Windows XP looks like this:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

 

[Bill in Co.]

None of the above and you don't need to waste time "trying" anything.
Fix it.

The hosts file is a read only, hidden system file. It is just a text
file that you can manipulate
with WordPad, Notepad or any text editor. Before modifying the hosts
file, make a copy of the current one
in case you need to restore the original.

Use Notepad, not Wordpad, as the former is a pure text editor, and the
latter is a (albeit very limited) word processor (if using Wordpad, he'd
have to be somewhat diligent in his settings to get a pure text file

 

[Ben Myers]

I have the exact same issue as reported by Neil. It is a windows XP
computer.
When I view the c:\windows\system32\drivers\etc folder (showing hidden
files) the hosts file is not there. If I open up a run prompt, and type
"C:\windows\system32\drivers\etc\hosts" it does open the hosts file
however. It is filled with entries that a virus left in there. If remove
them and then save the hosts file it will not let me. Looking at the
permissions for the "etc" folder it is set to read-only. I try changing
that - it looks like it takes, but when I check the permissions again it
remains at read-only. I'm logged on as administrator.

<snip>

Try changing the read-only properties of the file itself, not the folder.

Another thing - when i open a command prompt, and list the contents of
the etc directory, it does not list the hosts file.

Try typing "dir /a" at the command prompt.

Ben

 

[John Wunderlich]

I have the exact same issue as reported by Neil. It is a windows
XP computer.

When I view the c:\windows\system32\drivers\etc folder (showing
hidden files) the hosts file is not there. If I open up a run
prompt, and type "C:\windows\system32\drivers\etc\hosts" it does
open the hosts file however. It is filled with entries that a
virus left in there. If remove them and then save the hosts file
it will not let me. Looking at the permissions for the "etc"
folder it is set to read-only. I try changing that - it looks like
it takes, but when I check the permissions again it remains at
read-only. I'm logged on as administrator.

When I run HijackThis - it gives you a message along the lines
that the hosts file is set to ReadOnly and HJT this may NOT be
able to save changes. When I attempt to remove the entires in HJT,
they are simply never removed.

I've tried just about anything I can think of - and am about ready
to whipe the computer and start over (which would be a real shame
given this is the only issue).

Is there a registry entry i can make to for change the read only
element?

Another thing - when i open a command prompt, and list the
contents of the etc directory, it does not list the hosts file.

Bring up the command prompt.
Then enter the following command to make the hosts file visible:
attrib -R -H -S c:\windows\system32\drivers\etc\hosts
Then give yourself permissions to change the file:
cacls c:\windows\system32\drivins\etc\hosts /P user:F
where you replace "user" with your username.

HTH,
John

 

[Jose]

I have the exact same issue as reported by Neil. It is a windows XP
computer.

When I view the c:\windows\system32\drivers\etc folder (showing hidden
files) the hosts file is not there. If I open up a run prompt, and type
"C:\windows\system32\drivers\etc\hosts" it does open the hosts file
however. It is filled with entries that a virus left in there. If remove
them and then save the hosts file it will not let me. Looking at the
permissions for the "etc" folder it is set to read-only. I try changing
that - it looks like it takes, but when I check the permissions again it
remains at read-only. I'm logged on as administrator.

When I run HijackThis - it gives you a message along the lines that the
hosts file is set to ReadOnly and HJT this may NOT be able to save
changes. When I attempt to remove the entires in HJT, they are simply
never removed.

I've tried just about anything I can think of - and am about ready to
whipe the computer and start over (which would be a real shame given
this is the only issue).

Is there a registry entry i can make to for change the read only
element?

Another thing - when i open a command prompt, and list the contents of
the etc directory, it does not list the hosts file.

Sounds like you are still infected - one of the redirect things
tampers with the hosts file.

Malware thinks of ways to prevent you from finding and removing it.
First it screws up your hosts file and sends you places you don't want
to go and then fixes your system so you can't get to the hosts file to
fix it. You need to remove the malware first, then fix the hosts file
if it still needs fixin'. Not the other way around.

Perform some scans for malicious software, then fix any remaining
issues:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

 

[John Wunderlich]

To follow-up, the suggestion below worked. The first part (to make
the file visible) didn't work because it said it didn't have
permissions. But the 2nd part worked great and allowed me to save
changes.

I suppose I could now do the command to make it visible now that I
fixed the permissions. Thanks!

Thanks for the feedback. Glad it worked.
Yeah, I suppose I got the order wrong.

-- John

 

[rachid]

i did this and no change - still locked

This has nothing to do with the registry. Your permissions on the file
have simply been revoked or you have been explicitly denied permission
to the file.

Try granting yourself full control on the file. At the command prompt
issue these commands and see if things change:

cacls C:\WINDOWS\system32\drivers\etc\hosts /E /G Administrators:F
cacls C:\WINDOWS\system32\drivers\etc\hosts /E /G "Your User Name":F

If you have spaces in your user name you must use the "quotation marks"

John


.

 

[John John - MVP]

Perhaps you still have a virus or perhaps your AV software has a lock on
the file. Try while booted to Safe Mode. If that fails try deleting it
from the Recovery Console or try with a utility like Unlocker.

John

 

[VanguardLH]

i did this and no change - still locked

<snipped rachid's attempt to hijack neil's 8-MONTH OLD thread>

So neil has become rachid. Uh huh. Start your own thread on your own
problem. You don't know if your host's setup is the same as neil's. He
and you may be using different security software that protects against
changes to the hosts file. Describe YOUR setup and YOUR actions.


--- Posting Hints ---

ALWAYS REVIEW your message before submitting it. You want someone OTHER
than yourself to understand your post. Also remember that no one here
is looking over your shoulder to see at what you are pointing. If you
don't well explain your situation by providing the DETAILS that you
already know, don't expect others to know what is your situation.
Explain YOUR computing environment and just what actions you take to
reproduce the problem.

Often you get just one chance per potential respondent to elicit a reply
from them. If they skip your post because you gave them nothing to go
on (no details, no versions, no OS, no context) then they will usually
move on to the next post and never return to yours.

What is Usenet:
http://en.wikipedia.org/wiki/Usenet
http://en.wikipedia.org/wiki/Newsgroups
http://www.masonicinfo.com/newsgroups.htm
http://www.mcfedries.com/Ramblings/usenet-primer.asp

When using a webnews-for-dummies interface (e.g., Microsoft's
Communities, Google Groups, or a leech site using a forum-to-Usenet
proxy), those are gateways to Usenet. Despite the pretense of a forum,
you are participating in a newsgroup (aka Usenet).

Note: Microsoft is dropping their "Communities" webnews-for-dummies
interface that gateways to Usenet. Microsoft is leaving Usenet.
Microsoft is not Usenet. To continue accessing the microsoft.public.*
newsgroups, you will need to connect a newsreader to a non-Microsoft
NNTP server or suffer with Microsoft's inane web-based forums.

How to post to newsgroups:
http://66.39.69.143/goodpost.htm
http://support.microsoft.com/kb/555375
http://users.tpg.com.au/bzyhjr/liszt.html
http://www.mugsy.org/asa_faq/getting_along/usenet.shtml

Regarding error or status messages:
- Do NOT omit the message.
- Do NOT describe the message.
- Do NOT summarize the message.
- Do NOT paraphrase the message.
- Do NOT truncate the message.
- Do show the ENTIRE message (but munge or star out personal info,
like your username in an e-mail address but not the domain).
And DETAIL the steps to reproduce the error or problem.

Bye.

 

[Daave]

I followed the instructions above, but i ended up having to remove a
fake "user" from the permissions list on the hosts file. when i right
clicked on the the hosts file, went to properties, under security.
whatever virus did it, created a user named "3-00a-v---bbasass11001"
or something to that affect. so i added the "authenticated users"
group back to the list, and removed the funky user group. This
allowed me to edit the hosts file.

I normally dont post my findings, which is kind of selfish, because it
takes to long to register, but this issue had me bugged for a very
long time. no pun intended.
Thanks everyone for your help

Which instructions?

Above what?

What is that takes long to register?

Do you have a specific question?

 

[Peter Foldes]

http://members.shaw.ca/dts-l/goodpost.htm

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

 

[Etal]

meboy101 wrote:

[snip]

Thanks everyone for your help

Which instructions?

Above what?

What is that takes long to register?

Do you have a specific question?

If you missed it, 'meboy' is posting with "User-Agent: vBulletin
USENET gateway". We don't see what 'meboy' saw and 'meboy'
probably won't see us.

Questions should have been; What is Usenet? What am i doing,
posting to various web-sites each requiring their own
registration instead of using Usenet directly where at most one
registration is needed for any number of groups/topics?

Usenet via AIOE.org = no registration at all required to post.


--