hosts file "missing"

G

Gordon J. Rattray

Hi there,

I've got a machine where I can not see the hosts file. I've selected "show
hidden files and folders" and taken the check mark out of both "hide
extensions for known file types" and "hide protected operating system
files".

Yet, when I go to rename the hosts.msn to just "hosts" it won't let me do it
saying there's a file by that name in there, yet I can't see it.

I can't get to over half the web pages on this machine and I can't get to
any of the online antivirus scanner sites.

So, I need to know how to access the hidden hosts file to be able to access
it to modify it.

Thanks,

Gordon
 
D

David H. Lipman

From: "Gordon J. Rattray" <[email protected]>

| Hi there,
|
| I've got a machine where I can not see the hosts file. I've selected "show
| hidden files and folders" and taken the check mark out of both "hide
| extensions for known file types" and "hide protected operating system
| files".
|
| Yet, when I go to rename the hosts.msn to just "hosts" it won't let me do it
| saying there's a file by that name in there, yet I can't see it.
|
| I can't get to over half the web pages on this machine and I can't get to
| any of the online antivirus scanner sites.
|
| So, I need to know how to access the hidden hosts file to be able to access
| it to modify it.
|
| Thanks,
|
| Gordon
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
P

PA Bear

Excessive crossposting eliminated.

The default file named hosts (no extension; not Lmhosts) is located in
C:\WINDOWS\SYSTEM32\DRIVERS\ETC.

How have you come to decide that a file named hosts.msn is causing your
problems?

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**
 
G

Gordon J. Rattray

Hi Robert,

In most machines I see a hosts and hosts.bak file... I can't remember seeing
any hosts.msn . Where would that come from?

But the crux of the matter is that I can not see the hosts file. If I create
a file called hosts, it won't let me do it in the
C:\windows\system32\drivers\etc folder. So, what's going on with the
supposedly hidden hosts file and how can I be able to see it? And then
modify it to my liking as I can't access many websites.

Gordon
 
D

David H. Lipman

From: "Gordon J. Rattray" <[email protected]>

| Hi Robert,
|
| In most machines I see a hosts and hosts.bak file... I can't remember seeing
| any hosts.msn . Where would that come from?
|
| But the crux of the matter is that I can not see the hosts file. If I create
| a file called hosts, it won't let me do it in the
| C:\windows\system32\drivers\etc folder. So, what's going on with the
| supposedly hidden hosts file and how can I be able to see it? And then
| modify it to my liking as I can't access many websites.
|
| Gordon

Gordon:

Please use my utility. You indicated that you can't access AV web sites. This is often the
case of malware performing self preservation techniques. The Multi AV Scanning Tool has
scripted capabilities to thwart such activity. It will then allow you to access the AV
vendors web sites and scan the PC and hopefully remove the malware that you are most likely
infected with.
 
W

Wesley Vogel

MSN Messenger?

[[At some point you had connection problems while using MSN Messenger and
opted to use it's built-in connection troubleshooter when prompted. When you
did this your installed hosts file was backed up to "hosts.msn". ]]
http://www.hosts-file.net/phpbb2/viewtopic.php?p=2274

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
P

PA Bear

You'll need to run a /thorough/ check for hijackware before you'll be able
to find/see the hosts file, Gordon. The behavior you're seeing is due to a
hijackware infection.
 
R

RJK

....{in a Dalek like / burbly voice}...

....DESTROY.........DESTROY.........DESTROY...

....we WILL l not tolerate crossposing....

....DESTROY....DESTROY.....DESTROY....

:)

regards, Richard
 
G

Gordon J. Rattray

Hey Gary,

I'm only going by what the machine is doing....I didn't design it.

If it has a hidden or locked hosts file that blocking numerous web pages, I
want to know about it.

Gordon
 
B

Bill

Using a host file is a management nightmare. Simply turn it off in the ip
settings unless you have a really good reason to use it.
 
J

jen

Maybe this will help?
From: Tom Rivers Date: Tues, Sep 27 2005 8:33 am
Groups: microsoft.public.windows.server.general

Hi Josh,

I have just finished working with a total of five engineers at
Microsoft for three days trying to fix this problem and I finally have
a solution. From what I have been able to piece together, it really
was MSN Messenger 7.5 that broke my hosts file. The final engineer
found what the discrepency was and from that discovery I have come up
with an hypothesis to explain what occurred. Here's what I think
caused my problem:


(1) MSN Messenger erroneously determined that my connection to the
Internet was not functioning and launched its troubleshooter.


(2) The troubleshooter made a copy of my existing hosts file and called
it hosts.msn. It then went through the data therein probably to
sanitize it and made a new hosts file.


(3) Next, it deleted my DataBasePath registry key and recreated it,
presumably to ensure that no malware had compromised it. It is this
step that corrupted the system.


Registry entries have three parts to them: name, type, data. The
specific key to which I am referring is found in
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
and is called DataBasePath. For a default installation of Windows
Server 2003, its type should be REG_EXPAND_SZ and its value should be
%SystemRoot%\System32\drivers\etc. MSN Messenger goofed up and made
the type REG_SZ and that is what killed the hosts file.


I'm not a registry expert, but I do have a background in programming.
My theory is that both registry key types allow for the storage of
alphanumeric data, however the difference is that the REG_EXPAND_SZ
type allows for substitutions while the REG_SZ type does not. I bet
since the REG_SZ type doesn't allow substitutions, the %SystemRoot%
section was interpreted literally instead of being substituted by
C:\Windows. This is why the "ipconfig /flushdns" command was not
caching the entries in the hosts file. It simply couldn't find it!
All I had to do was change the type to REG_EXPAND_SZ and everything
began to work again.


I recommended the engineer tell someone over at the MSN Messenger group
about this issue so that this kind of bug doesn't cause trouble in the
future. Hopefully someone there will take the appropriate action
required. I can tell you that the email support over at MSN Messenger
is woefully inadequate so I wouldn't recommend anyone use them for
anything other than a basic problem. Quite frankly, the only reason I
got the quality support I did was because I used a prepaid incident
from my MSDN subscription.


I hope this helps you and anyone else who has been bitten by this bug.
 
R

RJK

not for stand alone machines it isn't ! ...it's a valuable extra thin layer
of internet security :)

regards, Richard
 
M

Mr. Backup

hijacked... that's what it sounds like to me
the directory C:\WINDOWS\system32\drivers\etc
Should look like this, without any hidden files.
Owner File name
BUILTIN\Administrators hosts
BUILTIN\Administrators lmhosts.sam
BUILTIN\Administrators networks
BUILTIN\Administrators protocol
BUILTIN\Administrators services

You may even have a file called host.ics if you ever enabled internet
connection sharing running on that pc for any reason.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Where does the HOSTS file go in XP/2K 13
HOSTS file problem 2
Hosts file 8
Anybody using this host file? 14
Can't Access Hosts File 12
Hosts file 5
Restore HOSTS file to original 1
How big can HOSTS be? 22

Top