Read Only Hosts File

I am currently working on a computer that has a hijacked hosts file.  The file has been set to read only, so I cannot simply remove the erroneous entries and save the file. I tried to remove the read-only check mark from the properties, and it says "An error occurred while applying attributes to this file".  I also cannot delete the file.  I noticed that I can rename it. I tried renaming it to something else and making a new hosts file, but that didn't work.  It seems to continue reading the jacked up hosts file no matter what its name is.  Is there a quick fix for this?  Thanks for reading. Please let me know if I need to provide any additional info.

*Edit*

I have no idea how I ended up clicking CSS for one of the zones.  I apologize for that.
thedeal56Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gtworekCommented:
Did you try to rename file and then restart your machine?
If there was something that changed your hosts file you cannot longer trust your machine... sorry.
thedeal56Author Commented:
I did try to rename/restart, and it appears to still recognize the original file as the active hosts file.  This machine did have a few rogue anti-virus applications on it, but they have since been removed.  
thedeal56Author Commented:
Are you saying that a format is the only option?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

gtworekCommented:
This is just another "do not trust your machine" vote...
Because this is not your machine anymore.
TimorosCommented:
Log on in safe mode and try then to delete it !
To enter safe mode you hit the "f8" key before windows starts and simply choose the "Safe mode" option !!

In case windows does not create another Hosts file you can do it manually very easy
http://www.mvps.org/winhelp2002/hosts.txt
gtworekCommented:
I suggest backup of most important data ONLY and then format.
Maybe you can solve your hosts file issue. But probably you can see this machine is not fully reliable and behaves strangely.
thedeal56Author Commented:
I cannot delete it from safe mode
thedeal56Author Commented:
Yeah, it's probably worth formatting it at this point.  I just wanted to avoid it.  Especially since the owner will more than likely just get another virus in a week's time anyway.  
Brian PiercePhotographerCommented:
Check the file - has it been encrypted by any chance ?
thedeal56Author Commented:
How do I tell if it has?
Brian PiercePhotographerCommented:
It may appear in green and/or right click on the file and select, properties and advanced, is the Encrypt file to secure data option selected ?
thedeal56Author Commented:
It is not selected.
optomaCommented:
1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

optomaCommented:
Or remove the drive and slave it in another machine and delete the file :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian PiercePhotographerCommented:
It sounds like some malware has tampered with the file and is subverting your attempts to fix it
try scanning with  Malwarebytes http://malwarebytes.org/
scrathcyboyCommented:
"Yeah, it's probably worth formatting it at this point.  I just wanted to avoid it."

No need to reformat.  Get a win98 boot disk (or winxp boot disk if NTFS) and delete the hosts file.  The only thing that makes the HOSTS and LMHOSTS file read only are viruses.  Then reboot.  IF it is again read-only you still have the virus on the system.

NOD32 from www.eset.com is KNOWN to solve this problem by unmarking the hosts/lmhosts files are not read only, then it will work fine, as long as the virus has also been eliminated at that time by NOD32.

This is a superb AV program BTW, and you should always have it in your arsenal of AV killer apps.
Sujith_NairCommented:
hi! there, the solution by Optoma should be followed by you ,I want to make it very clear that you neednot have to Reinstall or Format your system in any case. along with that download this small application Process Explorer . Run this and you can see the list of application currently running in the background.
Chances are high that your system is already infected with some malware, the malware is blocking your attempts to access/modify the infected file. Using Unlocker you can delete/modify/unlock any file, without Killing the malware.
Please perform the following steps in same order..

1. If you are not having a Trusted Antivirus/Internet Security already installed, its high time you get one(Norton/Mcafee/Kapersky..etc ). You can try the free and small (less powerful) anti-spyware/adwares like Spyware S&D [this will rewrite and protect the hosts file,use the Immunize option] Or Adaware . I recommend you to atleast download both of these and perform a complete scan and immunize till u get a proper Internet Security SW. This step may find the virus/malware causing all the pain to you, there by giving you unrestricted access to hosts file.
2. If you find that none of the security softwares can be installed in your system due to toe restriction imposed by the malware. launch the ProcessExplorer, go through the running applications list, carefully detect any suspicious application, mostly malacious sw wont have any company name, leave the ones with Microsoft as company name and Kill Applications that seem suspicious and does not bear company name.
3. Now try installing any of the security software. You may be lucky this time.
4. Perform a complete scan of your system by any of the security software that you have opted.
5. Download the hosts file from the link posted by optoma.

Hope these work for you, in any case dont go for a reformat/reinstall unless you have a complete screwup of registry or OS. Best Of Luck!

get back if you need further clarification.

Rgards,
Sujith.
drose101Commented:
Your HOSTS file cannot be re-attributed or deleted because it is in use by the hijacker.  So, you really need to cleanse your computer before anything else:

Install and update Malwarebytes AntiMalware.  Run it in Safe Mode, remove infectous entries, reboot computer into normal mode, then run PC Tools Registry Mechanic.

Install and run Super AntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE), then rerun Registry Mechanic.

Install and run Avast! (first remove any anti-virus programs you currently have).

Install and run jv16 Power Tools (Registry Cleaner) by Macecraft.

Run BitDefender free online scan using Internet Explorer (http://www.bitdefender.com/scanner/online/free.html)

Repeat ALL of these antivirus steps until all programs report no infections.  Often these programs will find more infections and remnants on the second try.

Now, once you have a totally clean system...

Reboot computer into Safe Mode, open a command window, "cd" into hosts file directory, then manually use "del" command to delete hosts file.
thedeal56Author Commented:
Upon further review, my boss noticed that the reason that I could not remove the read-only option was due to the security settings.  The only group that was allowed access to the file was "Authenticated Users".  He took ownership of the file as the local admin, and he was then able to add full permissions to "everyone". once that was done, he was able to delete the file. I ran a full scan with Malwarebytes/Auper Anit Spyware, and they both found nothing.  Do you guys think it's safe for me to give the machine back to the owner?  Thanks.
gtworekCommented:
It was infected it is never 100% safe again... It's your decision but I hope it's OK.
Try to scan the disk offline (attached to another system) and if AV found nothing - return the machine.
thedeal56Author Commented:
I gave the points to the suggestion that got me on the right track.  If you guys think I should have spread them around a bit more, let me know and I'll redo the point assignment.  Thanks a lot for all help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
CSS

From novice to tech pro — start learning today.