My dad recently got a virus. He managed to clean everything up himself except for the bad entries in the hosts file. Since he did the majority of the work himself, and he doesn't remember the name of the virus (or whatever it was) I don't have much to work with there.

According to MalwareBytes Anti-Malware and HijackThis, the funked up hosts file is the only problem left.

I want to replace his hosts file with the MVPS hosts file (http://www.mvps.org/winhelp2002/hosts.htm), but I'm having a heck of a time doing it. I know that, in Windows 7, this is one of those super ultra protected files. However, I'm experiencing something VERY weird.

In Explorer, with Show Hidden Files enabled, you cannot see the hosts file. It's like it doesn't exist.

Via an elevated Command Prompt, I can only see the hosts file with "dir /a". If it's truly hidden, this makes sense. However, the following does not.

I can open the file using Notepad if I do "notepad C:\Windows\System32\drivers\etc\hosts" via an elevated Command Prompt. I cannot overwrite the file. When I do a File > Save, it prompts me to save a text file. I change the file type to All Files and remove the extension. No dice, Notepad insists on a ".txt" extension.

If I try to delete the existing hosts file, I get the error message "Could Not Find C:\Windows\System32\drivers\etc\hosts"

If I try to change the file attributes, I get the error message "Not resetting hidden file - C:\Windows\System32\drivers\etc\hosts"

I went as far as enabling the system administrator account and, when using an elevated Command Prompt, doing a "runas /user:administrator notepad" and editing the file, and a "runas /user:administrator cmd" and issuing commands there.

My next thought is to reboot into Safemode with command prompt...but I don't have physical access to the laptop right now. All my work has been via TeamViewer.

How can I blow away the existing hosts file and replace it?

This: http://support.microsoft.com/kb/923947 or doing anything as an administrator doesn't seem to work.

I don't have a lot of Windows 7 experience, so maybe I'm missing something? I thought I was smarter than this! :angry:

 

When you enabled show hidden files, did you check the "hide protected operating system files(recommended)" also?

To save a file without an extension, simple use quotes..ie..you would type "hosts" in the save box. Also, it does not matter what extension is picked in the drop down when you do this.

Edit: Also, you could manually change the file attrib for hidden like so.. "attrib -h c:\windows\system32\drivers\etc\hosts" at a command prompt (no quotes)

 

Seems you might still have A rootkit running

 

Wouldn't hurt to run Combofix and TDSSKiller on the machine.

 

I unchecked that, so now I can see it in Explorer. Forgot about that .

The file has been marked as "read only". I cannot remove this attribute!! I went as far as the following:

- Opened Command Prompt
- runas /user:administrator cmd

In Command Prompt ran by Administrator:

attrib -r c:\windows\system32\drivers\etc\hosts

And I get the error: Not resetting hidden file - C:\Windows\System32\drivers\etc\hosts

The same goes for if I try to remove the hidden attribute.

When trying to remove the read only attribute via Explorer, it goes through the prompts to grant my action administrative privileges, then comes back with an error about needing to give it administrative privileges!

I may need to see his laptop in person. :sigh:

 

Aha! That might be it. I completely forgot to run a rookit removal tool. Double . Any recommendations on which removal tool to use?

 

That's it. I'm definitely doing that.

 

If Combofix and TDSSKiller come up clean, the file might just be corrupted. I would get a copy of Hiren's BootCD and boot to MiniXP then you can probably replace the file.

 

but that will require physical access

 

Oops, forgot about that.

 

What does Microsoft Security Essentials have to say about it?

 

Combofix doesn't run on 7 does it?

 

oh noes

 

It doesn't run on 64bit

 

I haven't had a chance to look at it much since when I originally started this thread.

He ran another AV scan this morning and "Troj/FakeAV-BCF" came up. I'm not sure if it's related to the funky locked-down hosts file, but it's at least a start.

I'll post as the saga evolves...

 

turn off system restore since it might be restoring it self from that.