Sunday, November 8, 2009

Could not delete or Edit Host file because of Virus

Recently, and yes this is definitely when Tech Bytes, I was cleaning a computer that was riddled with viruses. Ran all the tools - Conficker, Malwarebytes, Adware, Hijack This, etc., and removed pretty much over 244 infections of one type or another. One virus, and I have seen this before, decided to hi-jack the browser, and the host file. The hosts file was full of entries redirecting the browser to all sorts of crazy sites, of which then would continue to infect the machine. Booting to Safe Mode did not help. Still could not delete the hosts files. You could not change the attribute which was set to "read only", and it had also created a backup for itself in the hosts.sam, and a folder called !Killbox in the root with another host file in it.

What I did:

1. Took the drive out, and added it as a USB drive to my Windows 7 laptop.
2. Took Ownership of the file.
3. Removed the Authenticated Users from the rights of which they were set to read only.
4. Added everyone group and gave full rights.
5. Deleted hosts file, backup host file, and the folder !Killbox.
6. Ran Nod32 on it from my laptop.
7. Recreated the host file.
8. Put back into machine, booted, and rescanned again with Spybot, Malwarebytes, and installed Avast.
9. Ran Avast at boot scan after installing it. You have to reboot, then it scans before getting to Windows.


No comments: