vkinetic
join:2009-09-17
2230
| Hosts file attributes set to system and hidden
Malware has changed the attributes of the hosts file to system and hidden. HostsXPert attempts to change these attributes unsuccessfully. How can the attributes be changed so that the hosts file can be edited?
Thanks in advance
vkinetic |
|
docrice
join:2008-03-31
Fremont, CA | attrib -r -h C:\WINDOWS\system32\drivers\etc\hosts |
|
vkinetic
join:2009-09-17
2230
| Thanks for your response - however unfortunately it's not that easy - when trying to change the attribs on the command line I get a response 'not resetting hidden file - C:\WINDOWS\system32\drivers\etc\hosts'
Its the same behaviour in Safe mode, and scans by Malwarebytes, SuperAntiSpy and Spybot all report the system clean. HJT log showed no unusual entries except the warning that the hosts file is very big and should be either deleted or manually edited and it is at this point that I'm stuck!
Any more help would be appreciated |
|
docrice
join:2008-03-31
Fremont, CA | reply to vkinetic
Then most likely you have a process that has a lock on it. Use handle to see which one:
»technet.microsoft.com/en-us/sysi···655.aspx |
|
vkinetic
join:2009-09-17
2230
| Thanks docrice. I need to show my ignorance here. I downloaded and ran the handles file, but a command window flew past and closed. I looked for instructions as to how to use handles (I have read the syntax for the command, but I can't see where I can use the command, and it's not recognised at the command prompt) but there doesn't appear to be any.
Should running handles result in a viewable result? If so, the system is not letting me see those results. I ran Process Explorer but there doesn't appear to be any entry for 'hosts'.
Can you point me in the right direction?
Thanks again |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to vkinetic
For a hidden (H) and system (S) file, you need to reset both attributes at once. The attrib command will not do one at a time.
The error message 'not resetting hidden file' does not mean 'the file is locked', it means 'I'm not resetting the attributes on that file because it's hidden'. |
|
vkinetic
join:2009-09-17
2230 | Thanks Dave, but I did run the attributes command with both switches at once (-r -h), but I still got the message 'not resetting hidden file - C:\WINDOWS\system32\drivers\etc\hosts'
Thanks |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| The switches you need are -s (system) and -h (hidden). -r is readonly.
Are you sure the error said "not resetting hidden" rather than "not resetting system"? It seems paradoxical to tell you that the file is hidden on any command that includes -h to reset the hidden attribute. "Not resetting system" in response to a -r -h request however makes perfect sense. |
|
vkinetic
join:2009-09-17
2230 | Thanks Dave - I tried that, but the response is:
'Access denied - C:\WINDOWS\system32\drivers\etc\hosts'
So something must be locking it or there is a policy restriction somewhere
Thanks for your help |
|
owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
clubs:
| reply to vkinetic
Use the command line CACLS tool to regain control of the file.
Here is a link to the command syntax:
»technet.microsoft.com/en-us/libr···872.aspx
You may need to download cacls.exe from Microsoft, as not all systems have it.
Here is some relevant info from that link:
Cacls
Displays or modifies discretionary access control list (DACL) files.
Syntax
cacls FileName [/t] [/e] [/c] [/g User:permission] [/r User [...]] [/p User:permission [...]] [/d User [...]]
Top of page
Parameters
FileName : Required. Displays DACLs of specified files.
/t : Changes DACLs of specified files in the current directory and all subdirectories.
/e : Edits a DACL instead of replacing it.
/c : Continues to change DACLs, ignoring errors.
/g User : permission : Grants access rights to the specified user. The following table lists valid values for permission.
Value
Description
n
None
r
Read
w
Write
c
Change (Write)
f
Full Control
/r User : Revokes access rights for the specified user.
/p User : permission : Replaces access rights for the specified user. The following table lists valid values for permission.
Value
Description
n
None
r
Read
w
Write
c
Change (Write)
f
Full Control
/d User : Denies access for the specified user.
/? : Displays help at the command prompt. |
|
docrice
join:2008-03-31
Fremont, CA | reply to vkinetic
handle.exe is a CLI only program. Open a prompt, perhaps elevate the process if you're running Vista or 7, and do:
handle.exe >> c:\myresults.txt
and you can scan through that. |
|
vkinetic
join:2009-09-17
2230 | Thanks Docrise - after running handle.exe no 'myresults.txt' is found on the system.
Thanks |
|
vkinetic
join:2009-09-17
2230
| Sorry Docrise - ignore my last message. I have attached the resultant file - are you able to see anything relevant?
Thanks |
|
docrice
join:2008-03-31
Fremont, CA
2 edits | At first glance, I don't see anything unusual. Perhaps an application you're running is interpreting access to the hosts file from specific kinds of processes (such as a user CLI shell) as potentially harmful. You may have to turn off services related to this, perhaps an AV app? It's plausible that anti-malware apps (or perhaps malware apps themselves) lock that file to avoid further tampering.
Another route for investigation is to use Process Monitor and examine the file system for processes that hit the hosts file. You'll have to define a filter to look for instances only relating to that file, otherwise you'd have to do a lot of unnecessary parsing.
»technet.microsoft.com/en-us/sysi···645.aspx |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
|
I wonder if SuperAntiSpyware, Spybot S&D or some similar program has a protection module locking the hosts' file. I'm seconding your thought on a spyware program protecting it.
If there was malware and no third party program locking it, my choice would be to look at doing a re-install repair (not to be confused with the repair function) as CALC's and resetting permissions might work, however what other file has been played with?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
clubs:
·MTA Online
| reply to docrice
said by docrice  :You may have to turn off services related to this, perhaps an AV app? Spybot Search & Destroy has a feature to render the Hosts File as read only as protection against malware.
Spy Sweeper has a similar feature.
I've had to temporarily disable both to update and/or edit my Hosts File. Once edited, Windows Defender wants me to approve or deny the edits.
Sigh! Malware sucks. |
|
owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
clubs: | reply to vkinetic
Is there some reason why you do not want to run cacls, which will get you control of your file and assign permissions? |
|
vkinetic
join:2009-09-17
2230
| Thank you owlyn - no there is no real reason - I thought I'd follow docrice's procedures first. But I had run Process Explorer earlier and, despite finding it a bit daunting, could not see anything relating to the hosts file. Running cacls as suggested by you was the next plan of attack - I do find the syntax a bit unclear but I should be able to work it out. Since it's Saturday night and I'm just about to start recording (yes, another one of those geeky musos) I'll leave that until tomorrow. I very much appreciate your input owlyn, and all the others - this is a really good board and much better than others I have had to use over the years  |
|
owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
clubs:
1 edit | I believe this syntax will do it for you. No guarantees:
open a command prompt and type
c:\windows\system32\cacls c:\windows\system32\drivers\etc\hosts /g Shane & Jodi:rwcf
This should work, but I am not sure if the syntax allows your user name. If not, put the user name in double quotes:
cacls c:\windows\system32\drivers\etc\hosts /g: "Shane & Jodi":rwcf
If that doesn't work, try:
cacls "c:\windows\system32\drivers\etc\hosts /g: Shane & Jodi:rwcf" |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to vkinetic
Before you change anything, please just post the output of these two commands here
attrib C:\WINDOWS\system32\drivers\etc\hosts >foo.txt
cacls C:\WINDOWS\system32\drivers\etc\hosts >>foo.txt
Note two angle brackets in the second command!
The output will be in file foo.txt; please post the contents here.
Those will tell us the current atributes and permissions. (If the permissions are not the problem, then no sense in changing them).
If you're sensitive about us knowing the usernames in the output, then replace it but do it consistently (e.g. you could replace VKINETIC by USER1, OTHER by USER2, etc). And we'd also need to know the (translated) username you're logged in as -- i.e., in this example, are you currently USER1? |
|
