Disappearing HOSTS file XP Pro SP2

[jonnybee]

Hi All -

I do web development, and I use the HOSTS files on our local machines to
access test servers that don't have 'public' DNS names and for virtual
servers on the local loop so we don't have to publish over the 'net to our
own IIS6 servers.

It works brilliantly. HOWEVER - I have one machine that just won't let me
create/edit a HOSTS file. Well, it will let me create it, and then it will
just wink out of existence right before your eyes.

This box is running XP Pro 32 with SP2 installed & is up-to-date on
hotfixes/patches.

This is the only machine I am having this problem with AFAIK. I have 4
others where this is not the case. 2 with XP Pro and 2 with Media Center.

I'm not sure when the problem began to be honest because machines are tasked
differently. I noticed when I started publishing to a new virtual server -
WOW - that was slow... of course I'm publishing to a fully qualified path,
and I had created a host file to point to the local server, so I first pinged
the FQDN - whoa - ti was resolving to the public DNS entry. It was so slow
because the traffic was flowing out over the internet to the provider and
then back to the server. I thought I might have made a mistake in the HOSTS
entry, so I went to system32\drivers\etc - NO HOST FILE!

Yep, I was logged on as Administrator when I created the file. I tried a
couple of times, and finally used Crimson editor to create the file, and left
the system32\drivers\etc folder open in Explorer. About a minute later -
POOF!

I suspect this is a function of Windows System File Checker. I have done
some research along those lines, but I'm unsure if the HOSTS file is one of
those protected? The only way I can figure this one based on what I have
read is that this machine didn't have a HOSTS file when SP2 was applied - so
SFC thinks there should not be one. One other thought has occurred and that
was the Malware Removal tool might be responsible.

I'm at a complete loss here - Thanks for any ideas.

jon b

 

[Lanwench [MVP - Exchange]]

My reply is at the bottom of your message.

Hi All -

I do web development, and I use the HOSTS files on our local machines
to access test servers that don't have 'public' DNS names and for
virtual servers on the local loop so we don't have to publish over
the 'net to our own IIS6 servers.

It works brilliantly. HOWEVER - I have one machine that just won't
let me create/edit a HOSTS file. Well, it will let me create it, and
then it will just wink out of existence right before your eyes.

This box is running XP Pro 32 with SP2 installed & is up-to-date on
hotfixes/patches.

This is the only machine I am having this problem with AFAIK. I have
4 others where this is not the case. 2 with XP Pro and 2 with Media
Center.

I'm not sure when the problem began to be honest because machines are
tasked differently. I noticed when I started publishing to a new
virtual server - WOW - that was slow... of course I'm publishing to a
fully qualified path, and I had created a host file to point to the
local server, so I first pinged the FQDN - whoa - ti was resolving to
the public DNS entry. It was so slow because the traffic was flowing
out over the internet to the provider and then back to the server. I
thought I might have made a mistake in the HOSTS entry, so I went to
system32\drivers\etc - NO HOST FILE!

Yep, I was logged on as Administrator when I created the file. I
tried a couple of times, and finally used Crimson editor to create
the file, and left the system32\drivers\etc folder open in Explorer.
About a minute later - POOF!

I suspect this is a function of Windows System File Checker. I have
done some research along those lines, but I'm unsure if the HOSTS
file is one of those protected? The only way I can figure this one
based on what I have read is that this machine didn't have a HOSTS
file when SP2 was applied - so SFC thinks there should not be one.
One other thought has occurred and that was the Malware Removal tool
might be responsible.

I'm at a complete loss here - Thanks for any ideas.

jon b

SFC can't have anything to do with this.
What antispyware/antimalware applications do you have running on this box?
Disable them and test again.

 

[jonnybee]

--
werkin'' hard

My reply is at the bottom of your message.



SFC can't have anything to do with this.
What antispyware/antimalware applications do you have running on this box?
Disable them and test again.

Heh - NOT running any anti-spyware or anti-malware. I checked for the
presence of the MS malware tool - not in sight. I tried uninstalling a
couple of toolbars that had attached themselves thinking that might be the
source - nope. We run the Big 4 browsers for testing IE, FF, Opera and Safari
- and sometimes those toolbars get attached.

BUT - I think we might have 'acquired' a rootkit. Whatever is killing the
HOSTS file takes a minute or two to find it. BUT if you launch a browser -
presto - doesn't matter what browser. I'm thinking a port 80 watcher. I had
done a full system virusscan - negative - then I ran HijackThis and came
across one of those gnarly dll names and a reference to it from a virusscan
log. So I'm gonna do the brave (and sensible) thing at wipe it. I have
already burned two many hours on this... Thank God for a couple of spare
machines.

Before I do I will run ActivePorts on it to see if there's a logger or
redirector hanging about.

Thanks very much for your speedy, speedy and thoughtful input

jon b

 

[Lanwench [MVP - Exchange]]

Heh - NOT running any anti-spyware or anti-malware. I checked for the
presence of the MS malware tool - not in sight. I tried uninstalling
a couple of toolbars that had attached themselves thinking that might
be the source - nope. We run the Big 4 browsers for testing IE, FF,
Opera and Safari - and sometimes those toolbars get attached.

BUT - I think we might have 'acquired' a rootkit. Whatever is
killing the HOSTS file takes a minute or two to find it. BUT if you
launch a browser - presto - doesn't matter what browser. I'm
thinking a port 80 watcher. I had done a full system virusscan -
negative - then I ran HijackThis and came across one of those gnarly
dll names and a reference to it from a virusscan log. So I'm gonna
do the brave (and sensible) thing at wipe it. I have already burned
two many hours on this... Thank God for a couple of spare machines.

Before I do I will run ActivePorts on it to see if there's a logger or
redirector hanging about.

Thanks very much for your speedy, speedy and thoughtful input

jon b

You're most welcome - and ugh, what a pain in the ___. Best of luck. You're
probably doing the right thing.

 

[John Wunderlich]

Hi All -

I do web development, and I use the HOSTS files on our local
machines to access test servers that don't have 'public' DNS names
and for virtual servers on the local loop so we don't have to
publish over the 'net to our own IIS6 servers.

It works brilliantly. HOWEVER - I have one machine that just won't
let me create/edit a HOSTS file. Well, it will let me create it,
and then it will just wink out of existence right before your
eyes.

This box is running XP Pro 32 with SP2 installed & is up-to-date
on hotfixes/patches.

This is the only machine I am having this problem with AFAIK. I
have 4 others where this is not the case. 2 with XP Pro and 2
with Media Center.

I'm not sure when the problem began to be honest because machines
are tasked differently. I noticed when I started publishing to a
new virtual server - WOW - that was slow... of course I'm
publishing to a fully qualified path, and I had created a host
file to point to the local server, so I first pinged the FQDN -
whoa - ti was resolving to the public DNS entry. It was so slow
because the traffic was flowing out over the internet to the
provider and then back to the server. I thought I might have made
a mistake in the HOSTS entry, so I went to system32\drivers\etc -
NO HOST FILE!

Yep, I was logged on as Administrator when I created the file. I
tried a couple of times, and finally used Crimson editor to create
the file, and left the system32\drivers\etc folder open in
Explorer. About a minute later - POOF!

I suspect this is a function of Windows System File Checker. I
have done some research along those lines, but I'm unsure if the
HOSTS file is one of those protected? The only way I can figure
this one based on what I have read is that this machine didn't
have a HOSTS file when SP2 was applied - so SFC thinks there
should not be one. One other thought has occurred and that was
the Malware Removal tool might be responsible.

I'm at a complete loss here - Thanks for any ideas.

jon b

If you don't want to spend the time finding the cause, after editing
the file, you can go into the security settings for the file and change
them such that nobody (even SYSTEM or yourself) can alter or delete the
file while allowing the normal Read access. You'd have to change the
permissions back to further edit the file, but this may be a workaround
that won't take too much of your time.


HTH,
John