Link to home
Start Free TrialLog in
Avatar of thedeal56
thedeal56

asked on

Read Only Hosts File

I am currently working on a computer that has a hijacked hosts file.  The file has been set to read only, so I cannot simply remove the erroneous entries and save the file. I tried to remove the read-only check mark from the properties, and it says "An error occurred while applying attributes to this file".  I also cannot delete the file.  I noticed that I can rename it. I tried renaming it to something else and making a new hosts file, but that didn't work.  It seems to continue reading the jacked up hosts file no matter what its name is.  Is there a quick fix for this?  Thanks for reading. Please let me know if I need to provide any additional info.

*Edit*

I have no idea how I ended up clicking CSS for one of the zones.  I apologize for that.
Avatar of gtworek
gtworek
Flag of Poland image

Did you try to rename file and then restart your machine?
If there was something that changed your hosts file you cannot longer trust your machine... sorry.
Avatar of thedeal56
thedeal56

ASKER

I did try to rename/restart, and it appears to still recognize the original file as the active hosts file.  This machine did have a few rogue anti-virus applications on it, but they have since been removed.  
Are you saying that a format is the only option?
This is just another "do not trust your machine" vote...
Because this is not your machine anymore.
Avatar of Timoros
Log on in safe mode and try then to delete it !
To enter safe mode you hit the "f8" key before windows starts and simply choose the "Safe mode" option !!

In case windows does not create another Hosts file you can do it manually very easy
http://www.mvps.org/winhelp2002/hosts.txt
I suggest backup of most important data ONLY and then format.
Maybe you can solve your hosts file issue. But probably you can see this machine is not fully reliable and behaves strangely.
I cannot delete it from safe mode
Yeah, it's probably worth formatting it at this point.  I just wanted to avoid it.  Especially since the owner will more than likely just get another virus in a week's time anyway.  
Check the file - has it been encrypted by any chance ?
How do I tell if it has?
It may appear in green and/or right click on the file and select, properties and advanced, is the Encrypt file to secure data option selected ?
It is not selected.
1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

ASKER CERTIFIED SOLUTION
Avatar of optoma
optoma
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It sounds like some malware has tampered with the file and is subverting your attempts to fix it
try scanning with  Malwarebytes http://malwarebytes.org/
"Yeah, it's probably worth formatting it at this point.  I just wanted to avoid it."

No need to reformat.  Get a win98 boot disk (or winxp boot disk if NTFS) and delete the hosts file.  The only thing that makes the HOSTS and LMHOSTS file read only are viruses.  Then reboot.  IF it is again read-only you still have the virus on the system.

NOD32 from www.eset.com is KNOWN to solve this problem by unmarking the hosts/lmhosts files are not read only, then it will work fine, as long as the virus has also been eliminated at that time by NOD32.

This is a superb AV program BTW, and you should always have it in your arsenal of AV killer apps.
hi! there, the solution by Optoma should be followed by you ,I want to make it very clear that you neednot have to Reinstall or Format your system in any case. along with that download this small application Process Explorer . Run this and you can see the list of application currently running in the background.
Chances are high that your system is already infected with some malware, the malware is blocking your attempts to access/modify the infected file. Using Unlocker you can delete/modify/unlock any file, without Killing the malware.
Please perform the following steps in same order..

1. If you are not having a Trusted Antivirus/Internet Security already installed, its high time you get one(Norton/Mcafee/Kapersky..etc ). You can try the free and small (less powerful) anti-spyware/adwares like Spyware S&D [this will rewrite and protect the hosts file,use the Immunize option] Or Adaware . I recommend you to atleast download both of these and perform a complete scan and immunize till u get a proper Internet Security SW. This step may find the virus/malware causing all the pain to you, there by giving you unrestricted access to hosts file.
2. If you find that none of the security softwares can be installed in your system due to toe restriction imposed by the malware. launch the ProcessExplorer, go through the running applications list, carefully detect any suspicious application, mostly malacious sw wont have any company name, leave the ones with Microsoft as company name and Kill Applications that seem suspicious and does not bear company name.
3. Now try installing any of the security software. You may be lucky this time.
4. Perform a complete scan of your system by any of the security software that you have opted.
5. Download the hosts file from the link posted by optoma.

Hope these work for you, in any case dont go for a reformat/reinstall unless you have a complete screwup of registry or OS. Best Of Luck!

get back if you need further clarification.

Rgards,
Sujith.
Your HOSTS file cannot be re-attributed or deleted because it is in use by the hijacker.  So, you really need to cleanse your computer before anything else:

Install and update Malwarebytes AntiMalware.  Run it in Safe Mode, remove infectous entries, reboot computer into normal mode, then run PC Tools Registry Mechanic.

Install and run Super AntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE), then rerun Registry Mechanic.

Install and run Avast! (first remove any anti-virus programs you currently have).

Install and run jv16 Power Tools (Registry Cleaner) by Macecraft.

Run BitDefender free online scan using Internet Explorer (http://www.bitdefender.com/scanner/online/free.html)

Repeat ALL of these antivirus steps until all programs report no infections.  Often these programs will find more infections and remnants on the second try.

Now, once you have a totally clean system...

Reboot computer into Safe Mode, open a command window, "cd" into hosts file directory, then manually use "del" command to delete hosts file.
Upon further review, my boss noticed that the reason that I could not remove the read-only option was due to the security settings.  The only group that was allowed access to the file was "Authenticated Users".  He took ownership of the file as the local admin, and he was then able to add full permissions to "everyone". once that was done, he was able to delete the file. I ran a full scan with Malwarebytes/Auper Anit Spyware, and they both found nothing.  Do you guys think it's safe for me to give the machine back to the owner?  Thanks.
It was infected it is never 100% safe again... It's your decision but I hope it's OK.
Try to scan the disk offline (attached to another system) and if AV found nothing - return the machine.
I gave the points to the suggestion that got me on the right track.  If you guys think I should have spread them around a bit more, let me know and I'll redo the point assignment.  Thanks a lot for all help!