It is not possible to change the file HOSTS
Most viruses that change the file hosts , and are not allowed on certain sites, or vice versa redirected to fraudulent sites that do the trick, which does not allow to modify the file the host . The options may be two, but more often they are used by both. So, down to business! Consider them.
The hosts file is hidden
The virus creates a second file system hosts file , which makes hidden. Thus the operating system reads the data from both files, and performs prescribed instructions of the virus hidden hosts file. Thus it is impossible to identify anything suspicious when checking the «visible» file.
If there is suspicion of a modification of the file hosts file , be sure to enable access to hidden files and folders , and then check whether the backup file with the virus records. Often the situation is compounded by the fact that the virus disables the display of hidden files and settings in the folder properties simply do not persist. In this case, you must first unlock the ability to display hidden files , and then delete the hidden file backup hosts file . Recall that the hosts file is edited application standard Notepad or any text editor, and is located in the folder C: \ WINDOWS \ system32 \ drivers \ etc
The script at startup
Virus writers — very resourceful people and always looking for new ways to disguise. Together with a hidden second hosts file is often used this trick, the script startup. What is this script and how borottsya with him?
The script is a set of standard Windows commands stored in a text file and edited with any text editor, such as Notepad. In our case, the most commonly used script that copies of the Windows temporary folder infected hosts file and makes it hidden. The script that basically sits in the menu Start — All Programs — Startup . Thus, each time the computer is rebooted hidden infected hosts file reappears in the system, and gives the impression that the hosts file is not possible to change.
A script that copies the infected file, often disguised as common names such as adobe updater, igfxtray, system, svchost , lsass, services, winlogon, csrss, smss, explorer, userinit, or something muffled type kG4tdew16gY . To remove a script you need to boot into safe mode, go to the menu Start — All Programs — Startup right-click the shortcut to the script and delete it. If you delete all the shortcuts menu Startup , nothing terrible will happen. Probably not boot at startup kind of program, but you will get rid of the virus. You can always reinstall the program.
In some cases, viruses mask and the Startup folder. In this case, nothing in it will not be displayed, even if the virus sits there. You must show hidden files and folders check:
For the Windows XP, : the C: \ the Documents and the Settings \ % the username% \ Start Menu \ Programs \ Startup
For Windows 7 : the C: \ Users Offline \% the username% \ the AppData \ Roaming folder \ the Microsoft \ Windows \ Etpu Start the Menu \ the Programs \ the Startup
Changed the registry key
The last and most rare viruses trick — to change the registry key responsible for the location of the file hosts file . It is necessary to start the Registry Editor. In windows xp Start — Run — type the command regedit and press the Enter , in the Windows 7 Start — enter the command regedit and press the Enter .
Now you need to check the option DataBasePath in branch the HKEY_LOCAL_MACHINE \ the SYSTEM \ CurrentControlSet \ Services \ Tcpip \ the Parameters . He must enter values have % SystemRoot% \ the System32 \ drivers \ etc .
If the value is more, double click on the parameter and enter the correct value. Now close the registry editor.