HostMod-A removal?, HostMod-A removal?

Go back to the hosts file in the Finder, select it and choose File -> Get Info. Can you provide a screenshot for the permissions information at the bottom of the window? (Press command-shift-4 and select the area to capture.) Here's what it looks like on my system:

Then the problem is deeper. Hopefully, the guy I left a message for sees it and responds here soon!

foxone12 wrote:

Nice idea and I tried it. Yes, I can 'clear from list' and the clearing lasts a full five seconds before the virus/spyware is again detected and Sophos gets very excited to tell me about it.

One last suggestion if the pop-up becomes unbearable is to got to Sophos Preferences->On-Access Scanning, unlock it and click the Stop Scanning button. That will hopefully stop the pop-ups (you may have to clear the quarantine manager again) but of course leaves you open to possible infection, if that disturbs you.

I personally do not believe that the host file is being changed by anything at this point and that the alerts are being caused by whatever other issues you are having with your Mac.

I'm going to back away at this point and observe as I've never experienced anything quite like this in my 25+ years of Mac experience, but will monitor if you need me for anything further.

Please post the output of the following shell commands:

ls -Odel /etc/

ls -Oel /etc/hosts

It's pretty clear to me that you've got unrecoverable problems here and it's time to start over with a fresh OS X and restore your user data from backup. It's either that or make an appointment with your closest Apple Store Genius or certified Mac repair facility.

If you need help with the former, Linc has a great outline of the steps you need to take.

Please read this whole message before doing anything.

This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

The purpose of this exercise is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:

1. Be sure your Mac is shut down.
2. Press the power button.
3. Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
4. Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).

*Note: If FileVault is enabled under Mac OS X 10.7 or later, or if a firmware password is set, you can’t boot in safe mode.

Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.

The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

Test while in safe mode. Same problem(s)?

After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.

You mention moving "items" to the trash, but keep in mind that file is just a text file. All you need to do is select all the text below that last "localhost" line and push the delete key, then save the file.

BTW, if you are able to edit that file in safe mode, are you still able to edit it when you start up normally again?

Try using TextWrangler instead. It can authenticate to allow edits to be saved.

You seem to have more than one issue, but the hosts file can be fixed as follows. Carry out these steps in safe mode.

Back up all data if you haven’t already done so. Before proceeding, you must be sure you can restore your system to the state it’s in now.

These instructions must be carried out in an administrator account, if you have more than one user account.

Select Go ▹ Go to Folder... from the Finder menu bar. In the text box that opens, enter the line below:

/etc/hosts

Double-click the selected file in the folder that opens. The file should open in TextEdit.

At the top of the TextEdit window, you should see something like this:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

Below that, you'll see some other lines. Delete everything below the last line shown above. Make sure you scroll all the way to the bottom of the document. In Lion, scroll bars are hidden by default until you actually start scrolling, so you may not realize that you’re not seeing the whole document.

Save your changes to a new file. In the Save As... dialog, make the name of the file “hosts” and deselect the option to add a ".txt" extension to the file name, if it's selected. Save the file to your Desktop. You should now have a file named exactly "hosts" with no extension on your Desktop, with the contents shown above.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Terminal in the page that opens.

Copy or drag — do not type — the line of text below into the Terminal window, then press return:

sudo sh -c 'cat Desktop/hosts > /etc/hosts'

You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Confirm. Quit Terminal.

Do not type anything in the Terminal window except your password.

That will fix the hosts file. You can now close the “etc” folder and delete the hosts file on your Desktop.