Malware Hosts file hidden and attrib un editable XP
Posted on 2010-09-22
Just finished removing a painful last aprt of a infection and wanted some advice.
Rmoved a rootkit with combo fix ,
cleaned up other multiple threats with malwarebytes.
cleanup browser with hijack this.
but the client still complained of google redirects.
After much pain
I found the host file missing under c:\%systemroot%\system32\drivers\etc
when i tried to copy a fresh HOSTS back i got a replace existing file warning.
But acces was denied.
unhid files in folder options still couldnt see the host file , tried command prompt aswell.
So i booted from my falcon four boot disk, into mini XP ( ramdisk)
And i could the see the host file (transparent)
opened it up and it had a heap of IP redirects for all things google , to a chinese Proxy i assume to facilitate some sort of piggy in the middle data collection.
anyways i tried to delete it and it said access denied
I tried to change the file attributes via attrib command again with access denied
I tried to change NTFS permissions with command also with access denied.
All I could do to facilitate a repair was rename it the file to "hostsold" which it allowed me to do.
then I copied a fresh hosts file in its place..
Viola problem solved !
My question is ?
How come i couldn't modify the comprimsed file and see it under the normal windows , is there some sort of file system hack going around?
Even the recovery console acces denied me under administrator account. nor could i see it under DOS.
This worries me that there is some file system exploit allowing this file to exist in limbo, invisble when the OS is running
and uneditable outside the operating system.
Any Help would put my mind at ease