itsonlyjustincase
2010-05-11, 09:55
I was called out to check out a client's PC because the client was sure that a virus was on it. When I got there no S&D installed and the installed AV wasn't running.
I had downloaded Spybot and AVG beforehand and took them with me. After installing Spybot and updating it I tried to use the Immunize feature. All of them successfully immunized except for the "Global (Hosts)". I was running as a user with Computer Administrator rights on Windows XP. Dropping to a command prompt I looked at the attributes of the hosts file located in this dir:
C:\WINDOWS\system32\drivers\etc
attrib showed that the hosts file had the System, Hidden, and Read-only file attributes set. Trying to remove these attributes using:
attrib -s -h -r hosts
failed with some access denied error.
I ran this command:
cacls C:\WINDOWS\system32\drivers\etc\hosts /G Everyone:F
and then this command worked fine:
attrib -s -h -r hosts
After examining the hosts file I saw that the malware/spyware/virus was redirecting most google sites to a different IP address. I deleted this hosts file and replaced it with a copy of the standard windows one. Then Spybot S&D was able to completely immunize successfully.
I had downloaded Spybot and AVG beforehand and took them with me. After installing Spybot and updating it I tried to use the Immunize feature. All of them successfully immunized except for the "Global (Hosts)". I was running as a user with Computer Administrator rights on Windows XP. Dropping to a command prompt I looked at the attributes of the hosts file located in this dir:
C:\WINDOWS\system32\drivers\etc
attrib showed that the hosts file had the System, Hidden, and Read-only file attributes set. Trying to remove these attributes using:
attrib -s -h -r hosts
failed with some access denied error.
I ran this command:
cacls C:\WINDOWS\system32\drivers\etc\hosts /G Everyone:F
and then this command worked fine:
attrib -s -h -r hosts
After examining the hosts file I saw that the malware/spyware/virus was redirecting most google sites to a different IP address. I deleted this hosts file and replaced it with a copy of the standard windows one. Then Spybot S&D was able to completely immunize successfully.