Previous 1 2 3 4 Next 52 Replies Latest reply: Jul 15, 2012 5:11 PM by MadMacs0 Go to original post
  • thomas_r. Level 7 (30,645 points)

    Went to Terminal and brought up a couple of new windows.  New Window - basic, etc.  Neither offered a prompt.


    That's very odd.  Probably something that deserves a topic of its own, and that may be indicative of greater problems with your system.


    However, here's an alternate solution for seeing what's in the hosts file.  Get a copy of TextWrangler, open it and choose File -> Open File by Name.  In what looks like a search field, type "/etc/hosts" (minus the quotes) and press return.  This should open the hosts file in TextWrangler, which will authenticate to open the file if necessary.  Make sure the contents match what MadMacs0 posted earlier.


    Of course, the hosts file should be readable by everyone.  If yours isn't, that's definitely a problem.  But I'm not an expert at troubleshooting issues like this and the missing Terminal prompt.  I'll see if I can get someone else who is to take a look here.

  • foxone12 Level 1 (0 points)

    Your suggestion was a good idea, but didn't do the job.  I downloaded TextWrangler and requested the /etc/hosts, as you suggested.  Got the following message:


    "This operation couldn’t be completed because an error occurred.


      You do not have sufficient privileges to perform this operation (MacOS Error code –5000)"


    This problem is turning out to be unbelievably tough!


    But, I truly do appreciate the thought and effort everyone is putting into this.

  • thomas_r. Level 7 (30,645 points)

    Go back to the hosts file in the Finder, select it and choose File -> Get Info.  Can you provide a screenshot for the permissions information at the bottom of the window?  (Press command-shift-4 and select the area to capture.)  Here's what it looks like on my system:


    Screen Shot 2012-06-24 at 11.47.00 AM.png

  • foxone12 Level 1 (0 points)

    Mine looks exactly as yours does.

  • thomas_r. Level 7 (30,645 points)

    Then the problem is deeper.  Hopefully, the guy I left a message for sees it and responds here soon!

  • MadMacs0 Level 5 (4,700 points)

    foxone12 wrote:


    Nice idea and I tried it.  Yes, I can 'clear from list' and the clearing lasts a full five seconds before the virus/spyware is again detected and Sophos gets very excited to tell me about it.

    One last suggestion if the pop-up becomes unbearable is to got to Sophos Preferences->On-Access Scanning, unlock it and click the Stop Scanning button. That will hopefully stop the pop-ups (you may have to clear the quarantine manager again) but of course leaves you open to possible infection, if that disturbs you.


    I personally do not believe that the host file is being changed by anything at this point and that the alerts are being caused by whatever other issues you are having with your Mac.


    I'm going to back away at this point and observe as I've never experienced anything quite like this in my 25+ years of Mac experience, but will monitor if you need me for anything further.

  • Linc Davis Level 10 (184,680 points)

    Please post the output of the following shell commands:


    ls -Odel /etc/

    ls -Oel /etc/hosts

  • foxone12 Level 1 (0 points)

    I do not know how to do this.


    Hosts will not open.


    Terminal will open, but offers no prompts and will accept no inputs.


    I appreciate you taking the time to think about his and offer solutions.

  • MadMacs0 Level 5 (4,700 points)

    It's pretty clear to me that you've got unrecoverable problems here and it's time to start over with a fresh OS X and restore your user data from backup. It's either that or make an appointment with your closest Apple Store Genius or certified Mac repair facility.


    If you need help with the former, Linc has a great outline of the steps you need to take.

  • Linc Davis Level 10 (184,680 points)

    Please read this whole message before doing anything.


    This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.


    The purpose of this exercise is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:


    1. Be sure your Mac is shut down.
    2. Press the power button.
    3. Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
    4. Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).


    *Note: If FileVault is enabled under Mac OS X 10.7 or later, or if a firmware password is set, you can’t boot in safe mode.


    Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.


    The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.


    Test while in safe mode. Same problem(s)?


    After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.

  • foxone12 Level 1 (0 points)



    I did as you asked and lo and behold, I was able to open the hosts file in TextEdit.  Here's what I found:



    # Host Database


    # localhost is used to configure the loopback interface

    # when the system is booting.  Do not change this entry.

    ##          localhost          broadcasthost

    ::1             localhost

    fe80::1%lo0          localhost




    Am I to understand all I need to do is move the goodle goodies from TextEdit to the trash and my problem will finally be solved?  Never worked with the hosts file before, so I don't know if moving the items from TextEdit will truly modify the hosts file, or if there is something else I need to do to absolutely remove the virus/malware.


    Thanks so much for getting me this far.


    Bill Stroud

  • thomas_r. Level 7 (30,645 points)

    You mention moving "items" to the trash, but keep in mind that file is just a text file.  All you need to do is select all the text below that last "localhost" line and push the delete key, then save the file.


    BTW, if you are able to edit that file in safe mode, are you still able to edit it when you start up normally again?

  • foxone12 Level 1 (0 points)

    I could edit it (delete) as you suggested, however, apparently I do not have permission to save the file.  Everything is still open and I'm not going to close it until I know how to save the file.  System:  read & write.  The other two are read only.

  • thomas_r. Level 7 (30,645 points)

    Try using TextWrangler instead.  It can authenticate to allow edits to be saved.

  • Linc Davis Level 10 (184,680 points)

    You seem to have more than one issue, but the hosts file can be fixed as follows. Carry out these steps in safe mode.


    Back up all data if you haven’t already done so. Before proceeding, you must be sure you can restore your system to the state it’s in now.


    These instructions must be carried out in an administrator account, if you have more than one user account.


    Select Go Go to Folder... from the Finder menu bar. In the text box that opens, enter the line below:




    Double-click the selected file in the folder that opens. The file should open in TextEdit.


    At the top of the TextEdit window, you should see something like this:



    # Host Database


    # localhost is used to configure the loopback interface

    # when the system is booting.  Do not change this entry.

    ##                              localhost          broadcasthost

    ::1                                        localhost

    fe80::1%lo0                    localhost


    Below that, you'll see some other lines. Delete everything below the last line shown above. Make sure you scroll all the way to the bottom of the document. In Lion, scroll bars are hidden by default until you actually start scrolling, so you may not realize that you’re not seeing the whole document.


    Save your changes to a new file. In the Save As... dialog, make the name of the file “hosts” and deselect the option to add a ".txt" extension to the file name, if it's selected. Save the file to your Desktop. You should now have a file named exactly "hosts" with no extension on your Desktop, with the contents shown above.


    Launch the Terminal application in any of the following ways:


    Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


    In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


    If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Terminal in the page that opens.


    Copy or drag — do not type — the line of text below into the Terminal window, then press return:


    sudo sh -c 'cat Desktop/hosts > /etc/hosts'


    You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Confirm. Quit Terminal.


    Do not type anything in the Terminal window except your password.


    That will fix the hosts file. You can now close the “etc” folder and delete the hosts file on your Desktop.