The Windows Hosts file is used to map hostnames to IP addresses. But it's often the case that it's modified by malware, often with unfortunate consequences for the end user. Here, Kannon Yamada explains how you can regain control of your hosts file after a malware infection.
A Reader Asks:
Why can't I modify or replace the Windows host file? I went through all the hoops required. I've tried: Opening the file using Windows Notepad, with elevated permissions; editing the security in the properties of the Hosts File; directly modifying the Hosts File; replacing the Hosts File with a modified file and deleting the original Hosts File.Whenever I try to edit the security settings of where the hosts file is located, I get an error that Notepad cannot save.When I tried modifying the file, it says the file does not exist and then it deletes itself.Please help!
Kannon's Reply:
The Windows Hosts File offers users a tool of extraordinary power. This is a text file, commonly used to manually map hostnames to IP addresses, but it can be abused. In the wrong hands, it can block or even redirect users from one site to another. This gives it great capability as a tool for both good and evil.
As a tool for evil, it plays a role in spreading malware. Which is why some anti-malware software prevents users from modifying this file, even if they've acquired the correct permissions. If I had to take a wild stab at your problem, I'd say the problem extends from overzealous anti-malware or firewall software, or a malware infection.
The short answer: Disable your anti-malware or firewall software. Then edit the Hosts File with elevated permissions. Or run an anti-malware scan. Then edit the Hosts File with elevated permissions.
This article covers why malware attacks the Hosts File and the very short process for editing your Windows Hosts file. Be careful though, as an existing malware infection can result in further infection, including ransomware (how to beat ransomware), keyloggers, and worse.
Why Malware Attacks the Hosts File
You might wonder: Why would malware modify, or prevent access to, the Hosts File?
Consider this: What first step might a malware-infected user do after they become aware of an infection? They're going to attempt to remove the malware, right?
If they never installed an anti-malware solution, they might search for anti-malware software. In this case, if the Hosts file blocks users from accessing anti-virus websites. If the Hosts file redirects users from the anti-virus site to a spoofed website, it's possible to install additional malware, such as a keylogger (how to stop keyloggers).
If victims do possess anti-malware software, perverting the Hosts File prevents anti-malware software from updating its malware database, blunting accurate malware detection. Both kinds of attacks stymie effective malware protection.
First, we're going to give you a quick refresher on how to fix your hosts file without a malware infection. Then, we're going to talk about what to do if you've been infected, either by fixing the hosts file, or by resetting it to the factory settings.
Editing the Hosts File (Without a Malware Infection)
We've covered editing the Windows Host File. Here's a quick refresher: First, shut off your anti-malware software or firewall. Then proceed to edit the Hosts File. Editing the Hosts File just requires a text editor (all Windows systems pack in at least two kinds of text editors), although we recommend using Notepad++ (getting started with plug-ins for Notepad++).
In Windows Search, type in Wordpad or Notepad then right-click on Wordpad/Notepad and select Run as Administrator from the context menu. This launches Wordpad/Notepad with administrative permissions.
From within Wordpad, choose File then Open and choose hosts from the following directory:
C:\Windows\System32\drivers\etc\hosts
At this point you'll need to launch your text-editing application with elevated permissions. This allows the program in question to modify sensitive operating system files. Without this very crucial step, attempts to modify the Hosts File will fail. To open with elevated permissions
This is what the Hosts File looks like, once opened:
Most users shouldn't notice any kind of changes in this section. If you do notice anything (particularly any domain name) that's not written near a # sign, Google it and see what shows up.
Editing the Hosts File With a Malware Infection
If you just want to weaken the grip of the malware, you'll simply repeat the instructions from Editing the Windows Hosts File, with one key difference: You must start the computer in Safe Mode first (how to start Windows 8 or Windows 10 in Safe Mode). This prevents the malware from loading while you edit the file, which reduces its ability to interfere with your anti-malware efforts.
However, if you've seen any of the indications of a malware infection, you'll want to perform malware surgery immediately. For example, getting website redirects, pop-ups, and lots of blank pages oftentimes signals some kind of infection. The best way to scan for these kinds of infections revolves around restarting your computer in Safe Mode and initiating a malware scan. Here's our malware removal guide.
Because malware can do terrible things, like install keyloggers (or reroute you from legitimate sites to malware sites), we advise proactive and aggressive treatment. Please take care of the problem before using the computer for important work.
Resetting the Windows Hosts File
Once malware inflicts damage on the Hosts File, you'll need to repair it after removing the malware infection. Fortunately, Microsoft makes a Fix It repair tool available which automatically refreshes the file to its factory-fresh state. Downloading the Fix It file and running the executable, will do the trick.
