How to fix a Windows Hosts file that has been hijacked by a virus. The Windows hosts file is a file used to map hostnames (website names like www.google.com that make sense to us) to IP addresses (like 126.96.36.199 that make sense to computers and the internet).
When you search for a hostname like google.com, your computer looks first in the hosts file to see if there is a corresponding IP address for it to go to. If there isn’t, your computer requests the matching IP address from your Internet Service Provider (ISP) via a system called DNS.
This file in modern computers is usually empty so the IP addresses are then provided by your ISP via DNS instead. However, viruses and malware often hijack it to make some (or all) websites unreachable by adding incorrect hostname/IP addresses into the file.
For example, the hostname for security websites like Norton or McAfee may be misdirected to a non-existent or virus infected website. If you find that you are unable to update your antivirus software or browse to certain websites like those of antivirus software companies, your hosts file may have been hijacked by a virus.
How To Tell If Hosts File Has Been Hijacked? The file is located in the folder C:\Windows\System32\Drivers\Etc and is a file called hosts (with no file extension).
Double click on the file to open it – you will be asked which program to use to open it. Select ‘Notepad’ to open it (not Wordpad or Word). Once opened you should see text similar to the following:
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
# For example:
# 188.8.131.52 rhino.acme.com # source server
# 184.108.40.206 x.acme.com # x client host
Any line with a # at the beginning is just a comment line – it doesn’t do anything so just leave it alone. An entry of “127.0.0.1 localhost” as above is a standard entry for many Windows systems – if it is there just leave it alone. If you see no other entries your file is not hijacked by a virus – close Notepad and check if a virus has configured a proxy server that is stopping your internet access.
If you see other entries like those below, your hosts file has been hijacked by a virus:
These lines redirect your requests to those antivirus company websites back to your own computer i.e. they block you from being able to browse to, or update from, the Mcafee and Norton (Symantec) websites. If there are many lines like this for antivirus companies they were probably put there by a virus to stop you getting information and updates from antivirus companies which might help you remove the virus.
How To Fix It? To fix the problem, just delete the unwanted lines like the 2 above and then save the Hosts file and close Notepad.
Can’t Save The Changes? The virus may have made the file read-only and/or changed the permissions of the file to stop you changing/saving it. To fix this, close the hosts file and click here to download a Hosts Permissions batch file from Bleeping Computer.
Once downloaded, double click the hosts-perm.bat file you just downloaded to run it and change the permissions of your hosts file. Now open your hosts file in Notepad again, delete the unwanted lines like the two above and then save the file and close Notepad.
What To Do Next
Hopefully you can access the internet now but make sure you remove any viruses that still remain on your computer – see our series of articles on How To Remove Viruses.