Hosts file ever protected by rootkit?

R

RegEdit

New Member
Reaction score
3
Location
Pacific Palisades, CA
I've noticed that sometimes an infected hosts file can't be overwritten or deleted. I try to uncheck it's read only status but access is always denied. I wind up having to replace it offline. Do you all know if a rootkit is ever responsible for "protecting" the hosts file?
 
RegEdit said:
I've noticed that sometimes an infected hosts file can't be overwritten or deleted. I try to uncheck it's read only status but access is always denied. I wind up having to replace it offline. Do you all know if a rootkit is ever responsible for "protecting" the hosts file?
Click to expand...

Yes some malware changes the host file and in order to protect itself, the malware will also change the permissions of the host file so you can't edit or delete it. To fix these permissions after stopping the malware, download the following batch file and save it to the desktop:

hosts-perm.bat

When the file has finished downloading, double-click on the hosts-perm.bat file that is now on the desktop. If Windows asks if you are sure you want to run it, allow it to run. You should now be able to access the hosts file.
 
Last edited:
B Trevathan said:
Yes some malware changes the host file and in order to protect itself, the malware will also change the permissions of the host file so you can't edit or delete it. To fix these permissions after stopping the malware, download the following batch file and save it to the desktop:

hosts-perm.bat

When the file has finished downloading, double-click on the hosts-perm.bat file that is now on the desktop. If Windows asks if you are sure you want to run it, allow it to run. You should now be able to access the hosts file.
Click to expand...


I've had the same problem of having HOSTS files that can't be edited.
This will definitely come in handy :o
 
B Trevathan said:
Yes some malware changes the host file and in order to protect itself, the malware will also change the permissions of the host file so you can't edit or delete it. To fix these permissions after stopping the malware, download the following batch file and save it to the desktop:

hosts-perm.bat

When the file has finished downloading, double-click on the hosts-perm.bat file that is now on the desktop. If Windows asks if you are sure you want to run it, allow it to run. You should now be able to access the hosts file.
Click to expand...

Thank you :) This will come in handy for me too!
 
Host file

Hi, Did one of these yesterday, Malwarebytes has a delete undeletable file option under the tools tab, just copy and edit the hosts file, delete the original and put your edited one back.
Glenn
 
All the batch file does is run the cacls and attrib commands. If you want to see your hosts file permissions just type from a command prompt:
Code: 
cacls "%WinDir%\system32\drivers\etc\hosts"
Malware will change the administrators permissions from F for full to R for read only.

Here is links to hosts files that you may want to put with the batch file to have as replacements.Windows default hosts files are all about the same like:
Code: 
#This is a sample hosts file
127.0.0.1  localhost loopback
::1        localhost
but be careful if something like a business is using a custom hosts file, you may want to edit it instead of replacing it in that case.
 
RegEdit said:
Why might they do that? To block employees from visiting certain sites?
Click to expand...
Yeah like:
Code: 
#This is a sample hosts file
127.0.0.1 www.pogo.com
127.0.0.1 www.myspace.com
127.0.0.1 www.facebook.com
#etc, etc.
they want their employees working while they are there or to block malware sites for security like:
Code: 
#This is a sample hosts file
127.0.0.1    www.malwaresite.com
#etc, etc.
 
The address 127.0.0.1 means your computer, so if you have "127.0.0.1 www.google.com" (for example) in your host file when you type www.google.com in your browser instead of going to google the browser is directed back to your computer.

This is also how some malware block antimalware program updates, they put in the host file something like: "127.0.0.1 updates.avast.com" when the AV tries to update it gets directed back to your computer and fails to do the update.

Here is a small fraction of a custom hosts file that Sbybot Search & Destroy adds and this is only the listing of sites that start with the numbers 0 or 1 (the actual file goes on and on):
Code: 
127.0.0.1       localhost
# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1    007guard.com
127.0.0.1    www.007guard.com
127.0.0.1    008i.com
127.0.0.1    008k.com
127.0.0.1    www.008k.com
127.0.0.1    00hq.com
127.0.0.1    www.00hq.com
127.0.0.1    010402.com
127.0.0.1    032439.com
127.0.0.1    www.032439.com
127.0.0.1    0scan.com
127.0.0.1    www.0scan.com
127.0.0.1    1-2005-search.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-domains-registrations.com
127.0.0.1    www.1-domains-registrations.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100sexlinks.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com
127.0.0.1    123simsen.com
127.0.0.1    www.123simsen.com
127.0.0.1    123topsearch.com
127.0.0.1    www.123topsearch.com
127.0.0.1    125sms.co.uk
127.0.0.1    www.125sms.co.uk
127.0.0.1    125sms.com
127.0.0.1    www.125sms.com
127.0.0.1    132.com
127.0.0.1    www.132.com
127.0.0.1    1337-crew.to
127.0.0.1    www.1337-crew.to
127.0.0.1    1337crew.info
127.0.0.1    www.1337crew.info
127.0.0.1    136136.net
127.0.0.1    www.136136.net
127.0.0.1    150freesms.de
127.0.0.1    www.150freesms.de
127.0.0.1    163ns.com
127.0.0.1    www.163ns.com
127.0.0.1    17-plus.com
127.0.0.1    171203.com
127.0.0.1    1800searchonline.com
127.0.0.1    www.1800searchonline.com
127.0.0.1    180searchassistant.com
127.0.0.1    www.180searchassistant.com
127.0.0.1    180solutions.com
127.0.0.1    www.180solutions.com
127.0.0.1    181.365soft.info
127.0.0.1    www.181.365soft.info
127.0.0.1    1987324.com
127.0.0.1    www.1987324.com
127.0.0.1    1sexparty.com
127.0.0.1    www.1sexparty.com
127.0.0.1    1sms.de
127.0.0.1    www.1sms.de
127.0.0.1    1stantivirus.com
127.0.0.1    www.1stantivirus.com
127.0.0.1    1stpagehere.com
127.0.0.1    www.1stpagehere.com
127.0.0.1    1stsearchportal.com
127.0.0.1    www.1stsearchportal.com
 
Guys ... Hosts files are often locked by malware - BUT - check for "Spybot - S&D" being installed. It tends to the hosts file if it's set up to, and it won't let it be written to by other programs, for safety. A good thing, rather than bad.

Could you post the contents of the file?

And RegEdit: Sony used to sell audio CD's with a rootkit like that. Early "DRM".
 
posted a program to help with this
http://technibble.com/forums/showthread.php?t=22141

added HOSTS editing in my program, basically it removes restrictions using cacls and system/hidden attributes and opens in in notepad, when you finish editing save and close notepad, it'll reset the attributes

enabler2.png


DOWNLOAD LINK
 
You must log in or register to reply here.

Similar threads

Appletax
AVG hosed the OS - BSODs, bootrec/fixboot "Access is Denied"
2
Replies
25
Views
2K
britechguy
britechguy
B
Microsoft Business 365 Question (Sharepoint / Onedrive / Teams)
Replies
17
Views
2K
brandonkick
B
Appletax
Thinking About Switching From Legion 5 Pro To MacBook Pro M1 Pro
2 3
Replies
41
Views
5K
Sky-Knight
Sky-Knight
phaZed
[SOLVED] How to uninstall Forticlient AV that was installed from EMS management dashboard?
Replies
2
Views
17K
Your PCMD
Your PCMD
calldrdave
Thankful for RepairShopr!
Replies
2
Views
2K
HCHTech
HCHTech
Back
Top