Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware attack; Cannot view, delete, edit hacked Hosts File


  • This topic is locked This topic is locked
2 replies to this topic

#1 jjhill

jjhill

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 03 March 2011 - 07:41 PM

Hello Tech Gurus,

I hope one of you can help me. I have a problem with one of my computers at the office I am having trouble solving. I will outline the problem and what I have attempted so far. Hopefully one of you can point out a solution or something new to try.

Problem:

Computer at work cannot connect to google, yahoo, or bing search engines.

What I Have Done:

I have identified the problem as a corrupt (hacked) hosts file. If I enter the command C:\WINDOWS\system32\drivers\etc\hosts I can access the hosts file and open it in wordpad.

Note that without actually typing in the file path the hosts file cannot be accessed. It is not visible in windows explorer even after changing the folder options to “show hidden files and folders” However, as mentioned by typing in the file path location, I can view the hosts file in wordpad.

Once open I can see almost 2 pages worth of entries of various google, yahoo and bing sites re-routing the browser to an unknown location explaining the problem. I know what the problem is, but I can’t fix it. I have tried deleting the hijacked entries in wordpad, but cannot re-save the file as I get an authorization error.

As the file is not visible in windows explorer I cannot remove the “read-only” format. I have tried to overwrite the file, with a pure hosts file taken from a different computer; again I get an authorization failure. I have tried running the following codes to regain administrator rights

cacls C:\WINDOWS\system32\drivers\etc\hosts /E /G Administrators:F
cacls C:\WINDOWS\system32\drivers\etc\hosts /E /G admin:F (admin is the username)

Both codes produced authorization failure errors. I do have full administrator credentials with this login.

I have run Malwarebytes and SuperAnti Spyware and have removed several errors; however all of the above problems still remain.

I have run HijackThis, and am informed that the Hijack this does not have “write” access to the hosts file and although it finds the hijacked lines in the hosts file, it cannot remove them. Hence all the above problems remain.

I have tried booting the computer in Safe Mode to gain access over the hosts file, but even in Safe Mode the file is not visible in windows explorer and unchangeable and is exactly the same as the above issues in Normal Mode.

I have tried deleting the entire etc folder, but cannot due to authorization failure.

What else can I try? Any other ideas out there to fix this problem?

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:35 PM

Posted 05 March 2011 - 03:01 PM

jjhill,

I have asked that this thread be moved to the malware forum, so that I am able to use more specialized tools for going at this.

Please try the following and let me know if the issue with the host file permission goes away.


Running OTM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Processes
    :Services
    :Reg
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [createrestorepoint]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:35 PM

Posted 08 March 2011 - 06:51 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users