help! Internet Explorer ignoring my HOSTS file

[kellygreer1]

Hi groups!

Anyone seen this before I got hit with some pretty nasty Spyware. Ran
Spybot S&D, Lavasoft Ad-aware, Hijack This, and the Microsoft
AntiSpyware Beta. Then as I continued to try to clean things up I
noticed Internet Explorer was ignoring my HOSTS file. I have lost the
ability to keep Internet Explorer from getting to certain sites by
using the HOSTS file. For example I noticed www.winfixer.com and
www.abetterinternet.com, I tried to redirect those to 127.0.0.1 and the
popups were still able to get to those sites. Ping from the command
line and Mozilla Firefox seem to be using my HOSTS file. Weird.

So I guess my question is.....
Is this some horrible form of "protection" from one of the Spyware /
Adware products..... OR is this Adware/Spyware/Virus program itself
making Internet Explorer ignore my HOSTS file.

Thanks,
Kelly Greer
(e-mail address removed)
change nospam to yahoo

 

[AvianFlux]

Did you check the integrity of your HOSTS file?

Reload the HOSTS file and lock it with HostsMan or some other manager
program.

 

[data64]

Anyone seen this before I got hit with some pretty nasty Spyware. Ran
Spybot S&D, Lavasoft Ad-aware, Hijack This, and the Microsoft
AntiSpyware Beta. Then as I continued to try to clean things up I
noticed Internet Explorer was ignoring my HOSTS file. I have lost the
ability to keep Internet Explorer from getting to certain sites by
using the HOSTS file. For example I noticed www.winfixer.com and
www.abetterinternet.com, I tried to redirect those to 127.0.0.1 and the
popups were still able to get to those sites. Ping from the command
line and Mozilla Firefox seem to be using my HOSTS file. Weird.

Sounds more like a caching issue. IE or some windows component seems to be
holding on to an older value of the DNS lookup rather using the new value
from your HOSTS file.

Assuming that you are on Windows 2k or better, try doing
"ipconfig /flushdns"
or simpler yet would be to reboot.


data64

 

[kellygreer1]

..... reboots do not fix.
ipconfig/flushdns did not work.

I'll try HostsMon.
This seems to maybe have done the trick.

Still trying to clean up this machine.

Running into this error now trying to use Windows Update
[Error number: 0x80072F78]
The website has encountered a problem and cannot display the page you
are trying to view. The options provided below might help you solve the
problem.
For self-help options:
Frequently Asked Questions
Find Solutions
Windows Update Newsgroup
For assisted support options:
Microsoft Online Assisted Support (no-cost for Windows Update issues)

Oh well. Might have to download the whole Windows XP SP2 iso file
tonight.
And try to get some more updates that way. Working with a Windows XP
SP1a install now.

Thanks,
Kelly

 

[Max Wachtel]

Oh well. Might have to download the whole Windows XP SP2 iso file
tonight.
And try to get some more updates that way. Working with a Windows
XP SP1a install now.

Thanks,
Kelly

Use the IT version of SP2-worked well for me.
-max
--
"VISTA" is an acronym for the top five Windows problems: Viruses,
Infections, Spyware, Trojans and Adware. -PanHandler
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

 

[Col.Steve Austin Ret.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did you check the integrity of your HOSTS file?

Reload the HOSTS file and lock it with HostsMan or some other manager
program.

Personally, I prefer to do it the old fashioned way..

open does box

cd \windows (if not already in that dir, usually you will start
there)
command\attrib +r +s +h HOSTS

that locks the file by making it hidden, system, read-only. all
those doodads just have flashy ways to do that simple command

to unlock the file for editing simply reverse the command

attrib -r -s -h HOSTS


I made a simple batch file for editing the hosts file..

attrib -r -s -h HOSTS
edit HOSTS
attrib +r +s +h HOSTS
exit


- --
My email is bogus, don't bother using it.

-----BEGIN PGP SIGNATURE-----
Version: N/A

iQEVAwUBQuXTOc/fycBOJ+clAQKjwQgAxmbeO4K9XrudmgUXJ3FVkMlVWnZWHvKG
jNyAd1rECDf6CTcLmSAYTMIr8UZ8wQUmtynkM+1DRXwzKOO80N+dB5148DnIq+ZJ
3eMAg5iBj4CECOODeApq7qdmoubfB1HrkXQbwvi/7QxI37dzxgqjk1FCw7DlmnTB
H8yFQb0TXS+FpG7l9zZp/C/j3IwrFLSVXe1PDAH10n8qQdAxcxMrX358op2exJd1
9lXXaiC9j3d+Dy1Y5a/6Hl3GTSfZ2nx8Q9TQQGNuEcOunqB8QcHRy38Pgl3KRltD
+zXJMSgHjOA0TT9Sa3KtdXVC8c0naHsXdi5GUS8eYU0qXU7a2SjhtQ==
=/FzY
-----END PGP SIGNATURE-----

~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
for abuse and hashcash info.

 

[Steve Winograd [MVP]]

Personally, I prefer to do it the old fashioned way..

open does box

cd \windows (if not already in that dir, usually you will start
there)
command\attrib +r +s +h HOSTS

that locks the file by making it hidden, system, read-only. all
those doodads just have flashy ways to do that simple command

to unlock the file for editing simply reverse the command

attrib -r -s -h HOSTS

I made a simple batch file for editing the hosts file..

attrib -r -s -h HOSTS
edit HOSTS
attrib +r +s +h HOSTS
exit

That looks like a good way to protect the Hosts file for people who
are comfortable with DOS commands.

Kelly's original question said that he/she has installed Microsoft
AntiSpyware Beta, which only runs on Windows 2000 and XP. In 2000 and
XP, the Hosts file is in %windir%\system32\drivers\etc, where %windir%
is usually "C:\WinNT" or "C:\Windows".
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Far Canal]

Col.Steve Austin Ret. wrote

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Personally, I prefer to do it the old fashioned way..

You're missing the point. Hostsman is 'using' the Hosts file all the
time it's running - therefore no other program can alter/edit the Hosts
file. Many spyware/trojans are able change the attributes of the hosts
file to gain access. What you're doing is pointless.

 

[David H. Lipman]

From: "kellygreer1" <[email protected]>

| Hi groups!
|
| Anyone seen this before I got hit with some pretty nasty Spyware. Ran
| Spybot S&D, Lavasoft Ad-aware, Hijack This, and the Microsoft
| AntiSpyware Beta. Then as I continued to try to clean things up I
| noticed Internet Explorer was ignoring my HOSTS file. I have lost the
| ability to keep Internet Explorer from getting to certain sites by
| using the HOSTS file. For example I noticed www.winfixer.com and
| www.abetterinternet.com, I tried to redirect those to 127.0.0.1 and the
| popups were still able to get to those sites. Ping from the command
| line and Mozilla Firefox seem to be using my HOSTS file. Weird.
|
| So I guess my question is.....
| Is this some horrible form of "protection" from one of the Spyware /
| Adware products..... OR is this Adware/Spyware/Virus program itself
| making Internet Explorer ignore my HOSTS file.
|
| Thanks,
| Kelly Greer
| (e-mail address removed)
| change nospam to yahoo

Kelly:

Some malware will redirect the location of the TCP/IP statics tables.

The following is the Registry key and proper setting.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DataBasePath=%SystemRoot%\System32\drivers\etc

 

[kellygreer1]

Well the HostsMan program seemed to do something on the install that I
thought fixed it.

But now after doing Windows XP SP2 and the latest updates its gone back
to ignoring my HOSTS file. The registry key looks ok. I'll have to
rewrite it and see if that helps...... it's weird though. If it was
the reg key wouldn't all programs be affected? Not just IE? Ping and
Firefox still using the HOSTS file. Weird.

How does an individual program decide to ignore the HOSTS file?

When I do solve this I will post back to the group the best way to
protect yourself from this. Not sure if I will find the fix before
Spybot or Lavasoft discover this malware.

Does anyone know of a free proxy server I could run locally(?), then I
could tell IE to use the proxy and through the proxy block
www.winfixer.com, abetterinternet.com, vx2.com, etc...?

Thanks,
Kelly

 

[David H. Lipman]

From: "kellygreer1" <[email protected]>

| Well the HostsMan program seemed to do something on the install that I
| thought fixed it.
|
| But now after doing Windows XP SP2 and the latest updates its gone back
| to ignoring my HOSTS file. The registry key looks ok. I'll have to
| rewrite it and see if that helps...... it's weird though. If it was
| the reg key wouldn't all programs be affected? Not just IE? Ping and
| Firefox still using the HOSTS file. Weird.
|
| How does an individual program decide to ignore the HOSTS file?
|
| When I do solve this I will post back to the group the best way to
| protect yourself from this. Not sure if I will find the fix before
| Spybot or Lavasoft discover this malware.
|
| Does anyone know of a free proxy server I could run locally(?), then I
| could tell IE to use the proxy and through the proxy block
| www.winfixer.com, abetterinternet.com, vx2.com, etc...?
|
| Thanks,
| Kelly

If you are infected with some malware they change the DataBase location and thus the hots
file assumed by the OS be be used from the alternate location. The following tool will
correct any alterations and the utility provides AV scanners from; Trend Sophos and Mcafee
to clean any infector that may make said alteration.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *