Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis denied write access to Hosts file


  • Please log in to reply
5 replies to this topic

#1 jajacks

jajacks

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 15 February 2010 - 03:49 PM

I'm running Win7 64bit and my IE 8 browser's search provider had been corrupted by a program, according to an error I receive. Because I use Mozilla, and I'm running a fairly new PC, I figured the search provider may have been some Dell-based provider, and I thought nothing of it. However, I decided to investigate anyway. I did a small search and found out that it may be born from a BHO, so I downloaded BHORemover and found an "unknown" BHO listing, comprised of a string of alphanumeric digits similar to a registry entry. Considering that it was unknown, I attempted to delete it via the program to no avail. I looked in IE's options to see if I could see it listed in the search provider section. Nothing but bing was listed. I then downloaded HijackThis and ran a scan. The unknown BHO showed up. I clicked to correct the problem and ran the BHORemover again to check for removal. The unknown BHO didn't show up. I re-ran HijackThis, and received an odd error message:

"For some reason your system denied write access to the Hosts file."

The message is longer than that, and I can transcribe the entire message if needed. I assume the error was a result of the deletion of the no-name BHO. HijackThis doesn't show the no-name during a scan, but has the BHO in its "backups" tab. To be safe, I ran a Malwarebytes and McAfee scan and both came back clean.

Should I be worried?

Thanks in advance, and I hope to hear from someone soon.

EDIT: I should also note that I've reset my IE settings under the "advanced" tab in internet options.

Edited by jajacks, 15 February 2010 - 03:59 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,028 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:21 PM

Posted 15 February 2010 - 05:07 PM

The HOSTS file is a text file that maps an IP address to a name. It has no extension and can be viewed using notepad.
  • Double-click on the HOSTS file.
  • A message will appear saying Windows can't open the file or Choose the program you want to open this file.
  • Scroll down the list of programs until you see Notepad.
  • Select it and click OK.
To view the Hosts file in Notepad automatically, go to Start > Run and type: notepad %windir%\system32\drivers\etc\hosts

Since the Hosts file is often used and altered by malware, some security programs (like Spybot S&D) will lock the file's read-only attributes as protection so it cannot be changed without your knowledge unless that feature is disabled.

The "system denied writes access" is normal when using HijackThis and other tools on Vista/Windows 7 due to the restrictions imposed by the Users Access Control (UAC). The HOSTS file is being protected. There is no need to worry about it and you can ignore the message when there is no evidence of malware infection.

Keep in mind that running HijackThis on a 64-bit machine may show log entries which indicate (file missing) when that is NOT the case so you need to verify that the file is actually missing. Anti-malware scanners have problems enumerating the drivers and services on 64-bit machines so they do not always work properly. WOW64 is the x86 emulator that allows 32-bit Windows-based applications to run on 64-bit Windows but x86 applications are re-directed to the x86 \syswow64 when seeking the x64 \system32.

Any time a 32-bit process attempts to access c:\windows\system32 the WoW64 layer redirects it into c:\windows\syswow64 which contains all of the 32-bit Windows binaries. This prevents a 32-bit process from trying to load a 64-bit binary. Any scripts or tools running in a 32-bit process that is referencing this directory will be automatically redirected to the syswow64 directory.

Making the Move to x64: File System Redirection

For a more detailed explanation, please refer to:
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 jajacks

jajacks
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 15 February 2010 - 05:27 PM

I believe we've worked together in the past, Quietman. Thank you for your information and help (again!). In regards to the no-name BHO, if I find another BHO in the future, is it safe to delete the entry if unsigned, unnamed, or file missing? I see the (file missing) entries you mentioned at the bottom of the log, and upon a few process lookups I gathered they were legitimate and only represented an OS incompatibility with HijackThis. However, from what I read, BHOs only affect IE and its plugins.

Thank you so much for your work and time. If you need to close the thread to devote time to people with bigger problems, I'll understand.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,028 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:21 PM

Posted 15 February 2010 - 07:41 PM

If you are not trained in using tools like HijackThis and are not sure about any of the log results its always best to confer with an expert before removing anything. That is what we are here for.

O2 entries corresponds to toolbars in Internet Explorer.
O3 entries corresponds to options located under the Tools menu in Internet Explorer.

Generally if you see (file missing) with a no-name BHO as you describe, its always best to search first to ensure the file is actually missing. If so, it can then be removed. If it is present, then do a Goggle search to see what it is if you don't recognize the file. If you see (file missing) on the O23 entries at the bottom with your 64-bit missing, they generally are not missing so don't be mislead by the results.

BTW: The Info on selected items button tells you what action HijackThis will perform if you choose to fix that particular entry. For example:

O20 - AppInit_DLLs: (Action taken for AppInit_DLLs: Registry value is cleared by not deleted.)
O20 - Winlogon Notify: (Action taken for Winlogon Notify: Registry key is deleted)


Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 jajacks

jajacks
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 18 February 2010 - 07:54 PM

Ok, thanks!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,028 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:21 PM

Posted 18 February 2010 - 09:18 PM

You're welcome.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users