[LiveBrianD]

yoko, on 15 February 2011 - 04:27 PM, said:

yoko, on 15 February 2011 - 04:20 PM, said:

AgentF, on 14 February 2011 - 11:39 PM, said:

Instead of using some application, you can just delete those lines manually in a text editor like Notepad. That IP address is not owned by Google. At what point in the investigation did you notice a change in the HOSTS file? I'm wondering if the changes were made before you ran Malwarebytes and removed 100+ threats you mentioned in post 6 or afterward.

Would you mind scanning with SuperAntispyware? You can use the portable version which doesn't require an installation. You don't need to copy it to a CD or USB flash drive contrary to the instructions. Just run it like a normal program.

S
Scanning as we speak. Not sure when HOSTS file got changed. I think it was after I ran malwarebytes quick scan once then we surfed the net thinking it was ok. Then I noticed it redirected websites randomly (at least it appeared randomly)so i thought that i should recheck the HOSTS file and unfortunately, i saw the additions.
Do i delete all the lines except the first line (local host address?) to include the second line?
thanks

well, i deleted all except the 127 local host line and it wont allow me to save it. do i save it or does it change once i deleted all the line?

You MUST run notepad as an administrator to edit the hosts file, or it will not save. I warned ya...

[yoko]

LiveBrianD, on 15 February 2011 - 05:28 PM, said:

yoko, on 15 February 2011 - 04:27 PM, said:

yoko, on 15 February 2011 - 04:20 PM, said:

AgentF, on 14 February 2011 - 11:39 PM, said:

Instead of using some application, you can just delete those lines manually in a text editor like Notepad. That IP address is not owned by Google. At what point in the investigation did you notice a change in the HOSTS file? I'm wondering if the changes were made before you ran Malwarebytes and removed 100+ threats you mentioned in post 6 or afterward.

Would you mind scanning with SuperAntispyware? You can use the portable version which doesn't require an installation. You don't need to copy it to a CD or USB flash drive contrary to the instructions. Just run it like a normal program.

S
Scanning as we speak. Not sure when HOSTS file got changed. I think it was after I ran malwarebytes quick scan once then we surfed the net thinking it was ok. Then I noticed it redirected websites randomly (at least it appeared randomly)so i thought that i should recheck the HOSTS file and unfortunately, i saw the additions.
Do i delete all the lines except the first line (local host address?) to include the second line?
thanks

well, i deleted all except the 127 local host line and it wont allow me to save it. do i save it or does it change once i deleted all the line?

You MUST run notepad as an administrator to edit the hosts file, or it will not save. I warned ya...

Ok, novice time... How do i run notepad as administrator? I set it up as the owner having admin rights (or so I thought). Assist me? Because when i go to save the altered file, it says it is a read only file... Ok, just ran as administrator (right clicked on it) and tried to save and still stated that it is a read only file and to rename it. If i can figure out how to save it, do i delete the line after the first local host line or the second (::1 line?)

This post has been edited by yoko: 15 February 2011 - 05:37 PM

[AgentF]

Hey Yoko. Sorry it's giving you trouble. In order to make changes to the file, you'll need to go into it's properties, uncheck the Read Only option, make the changes, save it, then recheck the Read Only option. You'll want to delete all the lines after ::1 localhost. In the past, all you had to do to secure the HOSTS file was to set it as Read Only. Unfortunately, newer threats can bypass this, too. When fighting malware, it's one step forward and one step back. The HOSTS file is just another thing you'll have to watch. =/

P.S. Don't feel bad about being a novice. We're all here to learn and happy to help you wherever we can. =)

This post has been edited by AgentF: 15 February 2011 - 08:33 PM

[yoko]

AgentF, on 15 February 2011 - 08:32 PM, said:

Hey Yoko. Sorry it's giving you trouble. In order to make changes to the file, you'll need to go into it's properties, uncheck the Read Only option, make the changes, save it, then recheck the Read Only option. You'll want to delete all the lines after ::1 localhost. In the past, all you had to do to secure the HOSTS file was to set it as Read Only. Unfortunately, newer threats can bypass this, too. When fighting malware, it's one step forward and one step back. The HOSTS file is just another thing you'll have to watch. =/

P.S. Don't feel bad about being a novice. We're all here to learn and happy to help you wherever we can. =)

well, I attempted that. after right clicking on the notepad icon, run as administrator, make the changes, try to save and it states that it is a read only file. I went into properties, unclicked the read only box, but it wouldnt allow me to make the changes, with windows security window popping up and stating that since it was part of windows, i couldnt change it. I previously turned off UAC, hoping that would help but it didnt. In other words, it wouldnt allow me to uncheck the read only and progress to saving it.

[LiveBrianD]

yoko, on 16 February 2011 - 07:56 AM, said:

AgentF, on 15 February 2011 - 08:32 PM, said:

Hey Yoko. Sorry it's giving you trouble. In order to make changes to the file, you'll need to go into it's properties, uncheck the Read Only option, make the changes, save it, then recheck the Read Only option. You'll want to delete all the lines after ::1 localhost. In the past, all you had to do to secure the HOSTS file was to set it as Read Only. Unfortunately, newer threats can bypass this, too. When fighting malware, it's one step forward and one step back. The HOSTS file is just another thing you'll have to watch. =/

P.S. Don't feel bad about being a novice. We're all here to learn and happy to help you wherever we can. =)

well, I attempted that. after right clicking on the notepad icon, run as administrator, make the changes, try to save and it states that it is a read only file. I went into properties, unclicked the read only box, but it wouldnt allow me to make the changes, with windows security window popping up and stating that since it was part of windows, i couldnt change it. I previously turned off UAC, hoping that would help but it didnt. In other words, it wouldnt allow me to uncheck the read only and progress to saving it.

I have an idea. Open the hosts file, make the changes, and save it elsewhere (like the desktop). MAKE SURE THE NAME IS "hosts" - WITH quotes. Then, go to the C:\Windows\system32\drivers\etc folder and rename hosts to something like "hosts.old". Then, copy over the hosts file to that folder, and accept the user account control prompt. With it disabled, you might actually GET problems, since there's no prompt to elevate the privileges for that command, and in some it must do that. I've seen that before with the guest account of a PC with UAC disabled, I couldn't perform an elevated operation despite having an administrator login, so even with an admin account it might happen since those accounts still get that prompt at times.

Don't worry, even without that file, internet connectivity still seems to work (it might refresh itself only when you reboot, and then you'll be in trouble). I had a friend who accidentally deleted it while messing around and yet he was chatting with me on IM from THAT PC at THE SAME TIME...

[yoko]

LiveBrianD, on 16 February 2011 - 03:48 PM, said:

yoko, on 16 February 2011 - 07:56 AM, said:

AgentF, on 15 February 2011 - 08:32 PM, said:

Hey Yoko. Sorry it's giving you trouble. In order to make changes to the file, you'll need to go into it's properties, uncheck the Read Only option, make the changes, save it, then recheck the Read Only option. You'll want to delete all the lines after ::1 localhost. In the past, all you had to do to secure the HOSTS file was to set it as Read Only. Unfortunately, newer threats can bypass this, too. When fighting malware, it's one step forward and one step back. The HOSTS file is just another thing you'll have to watch. =/

P.S. Don't feel bad about being a novice. We're all here to learn and happy to help you wherever we can. =)

well, I attempted that. after right clicking on the notepad icon, run as administrator, make the changes, try to save and it states that it is a read only file. I went into properties, unclicked the read only box, but it wouldnt allow me to make the changes, with windows security window popping up and stating that since it was part of windows, i couldnt change it. I previously turned off UAC, hoping that would help but it didnt. In other words, it wouldnt allow me to uncheck the read only and progress to saving it.

I have an idea. Open the hosts file, make the changes, and save it elsewhere (like the desktop). MAKE SURE THE NAME IS "hosts" - WITH quotes. Then, go to the C:\Windows\system32\drivers\etc folder and rename hosts to something like "hosts.old". Then, copy over the hosts file to that folder, and accept the user account control prompt. With it disabled, you might actually GET problems, since there's no prompt to elevate the privileges for that command, and in some it must do that. I've seen that before with the guest account of a PC with UAC disabled, I couldn't perform an elevated operation despite having an administrator login, so even with an admin account it might happen since those accounts still get that prompt at times.

Don't worry, even without that file, internet connectivity still seems to work (it might refresh itself only when you reboot, and then you'll be in trouble). I had a friend who accidentally deleted it while messing around and yet he was chatting with me on IM from THAT PC at THE SAME TIME...

Ok. i deleted the extra lines and saved it to the desktop with the quotation marks. then i renamed the hosts file to hosts.old. now, i am confused as the next step. I am having a brain burp (nicer reference)!

[LiveBrianD]

yoko, on 24 February 2011 - 02:14 PM, said:

LiveBrianD, on 16 February 2011 - 03:48 PM, said:

yoko, on 16 February 2011 - 07:56 AM, said:

AgentF, on 15 February 2011 - 08:32 PM, said:

Hey Yoko. Sorry it's giving you trouble. In order to make changes to the file, you'll need to go into it's properties, uncheck the Read Only option, make the changes, save it, then recheck the Read Only option. You'll want to delete all the lines after ::1 localhost. In the past, all you had to do to secure the HOSTS file was to set it as Read Only. Unfortunately, newer threats can bypass this, too. When fighting malware, it's one step forward and one step back. The HOSTS file is just another thing you'll have to watch. =/

P.S. Don't feel bad about being a novice. We're all here to learn and happy to help you wherever we can. =)

well, I attempted that. after right clicking on the notepad icon, run as administrator, make the changes, try to save and it states that it is a read only file. I went into properties, unclicked the read only box, but it wouldnt allow me to make the changes, with windows security window popping up and stating that since it was part of windows, i couldnt change it. I previously turned off UAC, hoping that would help but it didnt. In other words, it wouldnt allow me to uncheck the read only and progress to saving it.

I have an idea. Open the hosts file, make the changes, and save it elsewhere (like the desktop). MAKE SURE THE NAME IS "hosts" - WITH quotes. Then, go to the C:\Windows\system32\drivers\etc folder and rename hosts to something like "hosts.old". Then, copy over the hosts file to that folder, and accept the user account control prompt. With it disabled, you might actually GET problems, since there's no prompt to elevate the privileges for that command, and in some it must do that. I've seen that before with the guest account of a PC with UAC disabled, I couldn't perform an elevated operation despite having an administrator login, so even with an admin account it might happen since those accounts still get that prompt at times.

Don't worry, even without that file, internet connectivity still seems to work (it might refresh itself only when you reboot, and then you'll be in trouble). I had a friend who accidentally deleted it while messing around and yet he was chatting with me on IM from THAT PC at THE SAME TIME...

Ok. i deleted the extra lines and saved it to the desktop with the quotation marks. then i renamed the hosts file to hosts.old. now, i am confused as the next step. I am having a brain burp (nicer reference)!

Open explorer and go to: C:\Windows\system32\drivers\etc
Copy the hosts file you just saved to the desktop into that folder. Then reboot the computer.

[yoko]

LiveBrianD, on 24 February 2011 - 03:42 PM, said:

yoko, on 24 February 2011 - 02:14 PM, said:

LiveBrianD, on 16 February 2011 - 03:48 PM, said:

yoko, on 16 February 2011 - 07:56 AM, said:

AgentF, on 15 February 2011 - 08:32 PM, said:

Hey Yoko. Sorry it's giving you trouble. In order to make changes to the file, you'll need to go into it's properties, uncheck the Read Only option, make the changes, save it, then recheck the Read Only option. You'll want to delete all the lines after ::1 localhost. In the past, all you had to do to secure the HOSTS file was to set it as Read Only. Unfortunately, newer threats can bypass this, too. When fighting malware, it's one step forward and one step back. The HOSTS file is just another thing you'll have to watch. =/

P.S. Don't feel bad about being a novice. We're all here to learn and happy to help you wherever we can. =)

well, I attempted that. after right clicking on the notepad icon, run as administrator, make the changes, try to save and it states that it is a read only file. I went into properties, unclicked the read only box, but it wouldnt allow me to make the changes, with windows security window popping up and stating that since it was part of windows, i couldnt change it. I previously turned off UAC, hoping that would help but it didnt. In other words, it wouldnt allow me to uncheck the read only and progress to saving it.

I have an idea. Open the hosts file, make the changes, and save it elsewhere (like the desktop). MAKE SURE THE NAME IS "hosts" - WITH quotes. Then, go to the C:\Windows\system32\drivers\etc folder and rename hosts to something like "hosts.old". Then, copy over the hosts file to that folder, and accept the user account control prompt. With it disabled, you might actually GET problems, since there's no prompt to elevate the privileges for that command, and in some it must do that. I've seen that before with the guest account of a PC with UAC disabled, I couldn't perform an elevated operation despite having an administrator login, so even with an admin account it might happen since those accounts still get that prompt at times.

Don't worry, even without that file, internet connectivity still seems to work (it might refresh itself only when you reboot, and then you'll be in trouble). I had a friend who accidentally deleted it while messing around and yet he was chatting with me on IM from THAT PC at THE SAME TIME...

Ok. i deleted the extra lines and saved it to the desktop with the quotation marks. then i renamed the hosts file to hosts.old. now, i am confused as the next step. I am having a brain burp (nicer reference)!

Open explorer and go to: C:\Windows\system32\drivers\etc
Copy the hosts file you just saved to the desktop into that folder. Then reboot the computer.

Well, when i try to copy it to the etc file, it asks me if i want to rename it hosts(2) or replace existing file of host. i renamed the file "hosts" and saved it on the desktop and tried to move it to the etc file. it acts like the file i renamed hosts.old (which is a icalender file which opened from here with microsoft outlook?) is still named just hosts although i renamed it? it states that I need permission to perform this action and when i click, it continously asks me to try again!!! so frustrating... (not the help, the computer!!!) I greatly appreciate the help!!!

This post has been edited by yoko: 24 February 2011 - 05:18 PM

[LiveBrianD]

First off, enable UAC. There should only be a file called "hosts.old" in the C:\Windows\system32\drivers\etc folder. Copy the new "hosts" file from the desktop. You shouldn't get any file replacing prompts because there currently is no "hosts" file in the C:\Windows\system32\drivers\etc folder.

[yoko]

LiveBrianD, on 25 February 2011 - 04:50 PM, said:

First off, enable UAC. There should only be a file called "hosts.old" in the C:\Windows\system32\drivers\etc folder. Copy the new "hosts" file from the desktop. You shouldn't get any file replacing prompts because there currently is no "hosts" file in the C:\Windows\system32\drivers\etc folder.

When i open the windows\system32\drivers\etc folder, there are 5 files in it: the renamed icalendar file named hosts.old, lmhosts.sam, networks, protocol and services. I turned back on the UAC, then when i try to copy the new "hosts" file from the desktop to the etc folder, it prompts me if I want to move and replace the existing folder named hosts (which is i renamed hosts.old but when i try to replace it, it doesnt recognize the name change). i click on that and it says i need administrator permission, i hit continue over, then i get the you need permission to perform this action over and over, try again.

[LiveBrianD]

yoko, on 25 February 2011 - 06:39 PM, said:

LiveBrianD, on 25 February 2011 - 04:50 PM, said:

First off, enable UAC. There should only be a file called "hosts.old" in the C:\Windows\system32\drivers\etc folder. Copy the new "hosts" file from the desktop. You shouldn't get any file replacing prompts because there currently is no "hosts" file in the C:\Windows\system32\drivers\etc folder.

When i open the windows\system32\drivers\etc folder, there are 5 files in it: the renamed icalendar file named hosts.old, lmhosts.sam, networks, protocol and services. I turned back on the UAC, then when i try to copy the new "hosts" file from the desktop to the etc folder, it prompts me if I want to move and replace the existing folder named hosts (which is i renamed hosts.old but when i try to replace it, it doesnt recognize the name change). i click on that and it says i need administrator permission, i hit continue over, then i get the you need permission to perform this action over and over, try again.

Folder named hosts? What? This is what the system folder should look like:



Hosts should have a generic file icon, NOT a folder one:



Perhaps you could try it in the command prompt (make sure to run it as an admin, otherwise it'll say Permission Denied):

C:
cd \
cd Users\whateveryourusernameis\Desktop
copy hosts "C:\Windows\system32\drivers\etc"

That worked for me.

[yoko]

LiveBrianD, on 26 February 2011 - 03:36 PM, said:

yoko, on 25 February 2011 - 06:39 PM, said:

LiveBrianD, on 25 February 2011 - 04:50 PM, said:

First off, enable UAC. There should only be a file called "hosts.old" in the C:\Windows\system32\drivers\etc folder. Copy the new "hosts" file from the desktop. You shouldn't get any file replacing prompts because there currently is no "hosts" file in the C:\Windows\system32\drivers\etc folder.

When i open the windows\system32\drivers\etc folder, there are 5 files in it: the renamed icalendar file named hosts.old, lmhosts.sam, networks, protocol and services. I turned back on the UAC, then when i try to copy the new "hosts" file from the desktop to the etc folder, it prompts me if I want to move and replace the existing folder named hosts (which is i renamed hosts.old but when i try to replace it, it doesnt recognize the name change). i click on that and it says i need administrator permission, i hit continue over, then i get the you need permission to perform this action over and over, try again.

Folder named hosts? What? This is what the system folder should look like:



Hosts should have a generic file icon, NOT a folder one:



Perhaps you could try it in the command prompt (make sure to run it as an admin, otherwise it'll say Permission Denied):

C:
cd \
cd Users\whateveryourusernameis\Desktop
copy hosts "C:\Windows\system32\drivers\etc"

That worked for me.

Sorry, hosts is a file, not a folder. His hosts file is a icalendar file, versus what your hosts file looked like from the screenshot. anyway, will try this. do you know if this problem will interfere with anything except redirecting websites? do i need to worry about security? I think i also disabled Outlook, which is the program that opens the hosts file, since it is an icalendar file (disabled it since he didnt have any use of it).

[yoko]

yoko, on 27 February 2011 - 09:34 AM, said:

LiveBrianD, on 26 February 2011 - 03:36 PM, said:

yoko, on 25 February 2011 - 06:39 PM, said:

LiveBrianD, on 25 February 2011 - 04:50 PM, said:

First off, enable UAC. There should only be a file called "hosts.old" in the C:\Windows\system32\drivers\etc folder. Copy the new "hosts" file from the desktop. You shouldn't get any file replacing prompts because there currently is no "hosts" file in the C:\Windows\system32\drivers\etc folder.

When i open the windows\system32\drivers\etc folder, there are 5 files in it: the renamed icalendar file named hosts.old, lmhosts.sam, networks, protocol and services. I turned back on the UAC, then when i try to copy the new "hosts" file from the desktop to the etc folder, it prompts me if I want to move and replace the existing folder named hosts (which is i renamed hosts.old but when i try to replace it, it doesnt recognize the name change). i click on that and it says i need administrator permission, i hit continue over, then i get the you need permission to perform this action over and over, try again.

Folder named hosts? What? This is what the system folder should look like:



Hosts should have a generic file icon, NOT a folder one:



Perhaps you could try it in the command prompt (make sure to run it as an admin, otherwise it'll say Permission Denied):

C:
cd \
cd Users\whateveryourusernameis\Desktop
copy hosts "C:\Windows\system32\drivers\etc"

That worked for me.

Sorry, hosts is a file, not a folder. His hosts file is a icalendar file, versus what your hosts file looked like from the screenshot. anyway, will try this. do you know if this problem will interfere with anything except redirecting websites? do i need to worry about security? I think i also disabled Outlook, which is the program that opens the hosts file, since it is an icalendar file (disabled it since he didnt have any use of it).

Well, i ran command prompt as administrator, typed in exactly as you had instructed and it said access denied (after asking if i wanted to overwrite c:\windows\system32\drivers\etc). I think my husband's Vista has some security feature enabled that i havent been able to alter (he cannot access some government access as well).