Can't replace hosts file

just cleaned up an infected computer and it was redirecting search results, I found that the bad search results were coming from the hosts file, interestingly if you browse to c:\windows\system32\drivers\etc\ there is no hosts file present even with "show hidden files" turned on, I tried running hijackthis but it said that it could not rewrite the hosts file and that I must do it manually.

now if I type into run "notepad c:\windows\system32\drivers\etc\" it pulls up the bad hosts file. Now I save the hosts file elsewhere and remove the .txt extension and go to place it in that directory it comes up with the "would you like to replace file 'hosts"' but after I say yes it comes up with error "cannot move hosts: a file with that name already exists" I have tried this in safe mode logged on as administrator with no luck. but I cannot for the life of me rewrite the hosts file.

any ideas are greatly appreciated.
LVL 6
NerdsNowAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
scrathcyboyConnect With a Mentor Commented:
You have not got rid of the virus -- that is the only explanation for this behaviour.  Try NOD32 at www.eset.com -- it will wipe out any and every virus or tracker on your hard drive if you do an in-depth scan -- guaranteed to eliminate everything nasty, with the latest updates.
0
 
houssam_balloutCommented:
did you try to login using safe mode?
0
 
NerdsNowAuthor Commented:
yeah I logged in safe mode as administrator and had the same problem
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
kerickCommented:
from shell, try to rename your old hosts. then rename the new hosts.
0
 
optomaCommented:
When you showed all files can you see other hidden files?
0
 
jameso99Commented:
I would have said try Unlocker (http://ccollomb.free.fr/unlocker) but it sounds like you can't even see the file.

Did you try a Run -> sfc /scannow or a Windows repair to see if you can restore an original hosts.etc?

Also, make sure it doesn't have the Read Only box checked on the file properties.
0
 
Darren SharplesSystems SpecialistCommented:
it sounds like your pc is still infected, make sure you have completly removed the virus and chase it out of the registry. I would say that this file is being recreated by the virus
0
 
B HCommented:
note that if you ran spybot search and destroy, and told it to protect your hosts file, SBS+D will block you from touching your own hosts file.

do this:

start > run > cmd
cd\windows\system32\drivers\etc
attrib hosts -s -h -r && del hosts

then optionally you can do something like this:
rename hosts.txt hosts
(if you have your wanted hosts file named hosts.txt in that directory
0
 
johnb6767Commented:
In the registry under.....

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Check the DatabasePath value. Does it point to the \Etc folder?
0
 
NerdsNowAuthor Commented:
I tried everyones advice from every cmd command you can think of and deleting with every atribute combination, ran every cleaner/antivirus/repair tool  I had even heard of  checked all the settings you guys suggested, redid the regestry settings as suggested but I ran NOD32 and it said something about  , "found a locked error, a reboot is needed" and when it restarted I was able to replace the hosts file, horay! NOD32 did not find any threats but it did repair the "locked error"! but it looks like I have a new favorite antivirus! Thank you scrathcyboy!
0
 
scrathcyboyCommented:
Thanks NerdsNow -- I tell you, there is no end of what NOD32 discovers if you do a "deep clean search".  At times it is arduous, but it works better than all of them !!
0
All Courses

From novice to tech pro — start learning today.