HostMod-A removal?, HostMod-A removal?
How do I remove HostMod-A malware? It's located at Private/etc/hosts, but when I try to open that folder, it says I do not have permission.
Apple Event: May 7th at 7 am PT
How do I remove HostMod-A malware? It's located at Private/etc/hosts, but when I try to open that folder, it says I do not have permission.
Your suggestion was a good idea, but didn't do the job. I downloaded TextWrangler and requested the /etc/hosts, as you suggested. Got the following message:
"This operation couldn’t be completed because an error occurred.
You do not have sufficient privileges to perform this operation (MacOS Error code –5000)"
This problem is turning out to be unbelievably tough!
But, I truly do appreciate the thought and effort everyone is putting into this.
Mine looks exactly as yours does.
Then the problem is deeper. Hopefully, the guy I left a message for sees it and responds here soon!
foxone12 wrote:
Nice idea and I tried it. Yes, I can 'clear from list' and the clearing lasts a full five seconds before the virus/spyware is again detected and Sophos gets very excited to tell me about it.
One last suggestion if the pop-up becomes unbearable is to got to Sophos Preferences->On-Access Scanning, unlock it and click the Stop Scanning button. That will hopefully stop the pop-ups (you may have to clear the quarantine manager again) but of course leaves you open to possible infection, if that disturbs you.
I personally do not believe that the host file is being changed by anything at this point and that the alerts are being caused by whatever other issues you are having with your Mac.
I'm going to back away at this point and observe as I've never experienced anything quite like this in my 25+ years of Mac experience, but will monitor if you need me for anything further.
Please post the output of the following shell commands:
ls -Odel /etc/
ls -Oel /etc/hosts
I do not know how to do this.
Hosts will not open.
Terminal will open, but offers no prompts and will accept no inputs.
I appreciate you taking the time to think about his and offer solutions.
It's pretty clear to me that you've got unrecoverable problems here and it's time to start over with a fresh OS X and restore your user data from backup. It's either that or make an appointment with your closest Apple Store Genius or certified Mac repair facility.
If you need help with the former, Linc has a great outline of the steps you need to take.
Please read this whole message before doing anything.
This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
The purpose of this exercise is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:
*Note: If FileVault is enabled under Mac OS X 10.7 or later, or if a firmware password is set, you can’t boot in safe mode.
Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.
The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
Test while in safe mode. Same problem(s)?
After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.
Linc,
I did as you asked and lo and behold, I was able to open the hosts file in TextEdit. Here's what I found:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
91.224.160.26 google.com
91.224.160.26 google.co.uk
91.224.160.26 google.com.au
91.224.160.26 google.ca
91.224.160.26 google.us
91.224.160.26 www.google.com
91.224.160.26 www.google.co.uk
91.224.160.26 www.google.com.au
91.224.160.26 www.google.ca
91.224.160.26 www.google.us
Am I to understand all I need to do is move the goodle goodies from TextEdit to the trash and my problem will finally be solved? Never worked with the hosts file before, so I don't know if moving the items from TextEdit will truly modify the hosts file, or if there is something else I need to do to absolutely remove the virus/malware.
Thanks so much for getting me this far.
Bill Stroud
You mention moving "items" to the trash, but keep in mind that file is just a text file. All you need to do is select all the text below that last "localhost" line and push the delete key, then save the file.
BTW, if you are able to edit that file in safe mode, are you still able to edit it when you start up normally again?
I could edit it (delete) as you suggested, however, apparently I do not have permission to save the file. Everything is still open and I'm not going to close it until I know how to save the file. System: read & write. The other two are read only.
Try using TextWrangler instead. It can authenticate to allow edits to be saved.
You seem to have more than one issue, but the hosts file can be fixed as follows. Carry out these steps in safe mode.
Back up all data if you haven’t already done so. Before proceeding, you must be sure you can restore your system to the state it’s in now.
These instructions must be carried out in an administrator account, if you have more than one user account.
Select Go ▹ Go to Folder... from the Finder menu bar. In the text box that opens, enter the line below:
/etc/hosts
Double-click the selected file in the folder that opens. The file should open in TextEdit.
At the top of the TextEdit window, you should see something like this:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
Below that, you'll see some other lines. Delete everything below the last line shown above. Make sure you scroll all the way to the bottom of the document. In Lion, scroll bars are hidden by default until you actually start scrolling, so you may not realize that you’re not seeing the whole document.
Save your changes to a new file. In the Save As... dialog, make the name of the file “hosts” and deselect the option to add a ".txt" extension to the file name, if it's selected. Save the file to your Desktop. You should now have a file named exactly "hosts" with no extension on your Desktop, with the contents shown above.
Launch the Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Terminal in the page that opens.
Copy or drag — do not type — the line of text below into the Terminal window, then press return:
sudo sh -c 'cat Desktop/hosts > /etc/hosts'
You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Confirm. Quit Terminal.
Do not type anything in the Terminal window except your password.
That will fix the hosts file. You can now close the “etc” folder and delete the hosts file on your Desktop.
Linc,
Can't thank you enough. My computer is crying tears of joy. So happy to be disease free at last! Your very specific instructions worked as advertised. Just re-booted and checked on the host file. Opens properly. Will run a Sophos scan soon, but I'm sure it will show no virus/malware.
I truly wasn't sure if this problem could ever be resolved and had long since run out of airspeed and ideas.
Thank you again for leading me through the technical mine-field!
Cheers!
HostMod-A removal?, HostMod-A removal?