C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file keeps getting overwritten

Question

I discovered and removed a W32.Gaobot virus variant this week and one thing that it appears to have left behind is a way, on start up, to overwrite the C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file. The virus modifies this file to specify URLs of web sites to which you are prevented access (including Symantec & McAfee, among many others). So after removing the virus, and disabling XP System Restore, I accessed and modified this file (using NOtepad) by deleting the list of URLs to sites to which you are prevented access, then saving it - this will allow you to then access all of the sites. However, after restart, the C:\WINDOWS\SYSTEM32|DRIVERS\ETC\HOSTS file again contains the list of URLs - there must be some executable on start-up that finds the 'HOSTS' file and overwrites it, thus preventing access to thoe aforementioned web sites; if this is the case, does anyone know what this process is so I can delete it or is there a good way to search for this process to find and delete it? Perhaps I'm mistaken about how the file gets overwritten - does anyone have any ideas? I've searched via google, and read information on both Symantc and McAfee but I did not see anything about this file getting overwritten an start up. Thanks for any advice that you might share.

gryjhnhpe · Answer

Use the below FREE Program Tools > Auto Startup Programs to check for a new auto added Startup Program.
Click on a Program in list & it might display an extra POP-UP windows with info about Program.
The extra Program might not display a POP-UP.
If you can identify the extra Program , click on it & remove tick to Temp disable auto startup.
Then re-start Computer & check Hosts file again using Spybot Tools > Hosts file.
If that Program was the culprit you can permanently Delete by . click on Program & click on Delete button at the top.
If you delete extra sites , you should leave the line 127.0.0.1 localhost (it is the default).

You might want to also then use Spybot to "Lock Hosts file" as below.

You can get FREE program called Spybot from;
http://spybot.eon.net.au/
If you install with Blind Icons you also get a Desktop shortcut which shows extra "Immunize" Options
"Lock IE Home Page"
" Lock Hosts file"
"Lock use of Internet Options from IE > Tools > Internet Options

Use Update 1st before Immunize & Scan for problems & delete files shown in Red or Green & auto ticked.
Also has other Tools , like list or Add/Remove of Auto Startup Programs & lists Hosts file

If you have already installed Spybot & "Immunize" doesn't show extra options
change the Shortcut link "Target" to
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" or use "All Programs" > "Spybot > Advanced Mode"

Windows General

Was this post helpful?